PERMISSION_DENIED in firebase emulator using Google Auth provider

[jean-smaug]

[REQUIRED] Environment info

firebase-tools: 9.8.0

Platform: MacOS Catalina 10.15.6

[REQUIRED] Test case

I'm trying to insert data in firebase firestore emulator.
I'm using two emulators : firestore and auth.
User is logged using Google auth provider. So I created a mock user that have Google as auth provider.
But I can't insert data with firestore auth rules.

// firebase web SDK config
import firebase from "firebase/app";

import "firebase/analytics";
import "firebase/auth";
import "firebase/firestore";
import { isMock } from "../utils/environement";

const firebaseConfig = {
  apiKey: "...",
  authDomain: "...",
  projectId: "...",
  storageBucket: "...",
  messagingSenderId: "...",
  appId: "...",
  measurementId: "...",
};

if (!firebase.apps.length) {
  firebase.initializeApp(firebaseConfig);
}

if (isMock) {
  firebase.auth().useEmulator("http://localhost:9099");

  firebase.firestore().settings({
    experimentalForceLongPolling: true,
  });
  firebase.firestore.setLogLevel("debug");
  firebase.firestore().useEmulator("0.0.0.0", 8080);
}

export default firebase;

// firestore.rules

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if request.auth != null;
    }
  }
}

// firebase.json
{
  "firestore": {
    "rules": "firestore.rules",
    "indexes": "firestore.indexes.json"
  },
  "storage": {
    "rules": "storage.rules"
  },
  "emulators": {
    "auth": {
      "port": 9099
    },
    "firestore": {
      "port": 8080
    },
    "ui": {
      "enabled": true
    }
  }
}

[REQUIRED] Steps to reproduce

My app is a next.js app.
So next start and firebase emulators:start.

In my code I try to do the following

const MyComponent = () => {
  React.useEffect(() => {
    firebase.firestore().collection("users").add({ some: "data" })
  }, [])
  
  return (...)
}

[REQUIRED] Expected behavior

I'm expecting to have my data inserted -

[REQUIRED] Actual behavior

An error is sent

Here are the logs displayed in console

[2021-04-04T15:50:19.078Z]  @firebase/firestore: Firestore (8.3.2): FirestoreClient Received user= hJbX2oOFLzuYcqMHdVXbdAMp1dIO
index.esm.js?abfd:106 [2021-04-04T15:50:19.081Z]  @firebase/firestore: Firestore (8.3.2): FirestoreClient Using default OnlineComponentProvider
index.esm.js?abfd:106 [2021-04-04T15:50:19.081Z]  @firebase/firestore: Firestore (8.3.2): FirestoreClient Using default OfflineComponentProvider
index.esm.js?abfd:106 [2021-04-04T15:50:19.081Z]  @firebase/firestore: Firestore (8.3.2): FirestoreClient Initializing OfflineComponentProvider
index.esm.js?abfd:106 [2021-04-04T15:50:19.083Z]  @firebase/firestore: Firestore (8.3.2): FirestoreClient Initializing OnlineComponentProvider
index.esm.js?abfd:106 [2021-04-04T15:50:19.085Z]  @firebase/firestore: Firestore (8.3.2): MemoryPersistence Starting transaction: Locally write mutations
index.esm.js?abfd:106 [2021-04-04T15:50:19.088Z]  @firebase/firestore: Firestore (8.3.2): MemoryPersistence Starting transaction: Get next mutation batch
index.esm.js?abfd:106 [2021-04-04T15:50:19.089Z]  @firebase/firestore: Firestore (8.3.2): MemoryPersistence Starting transaction: Get next mutation batch
index.esm.js?abfd:106 [2021-04-04T15:50:19.090Z]  @firebase/firestore: Firestore (8.3.2): Connection Creating WebChannel: http://0.0.0.0:8080/google.firestore.v1.Firestore/Write/channel {"httpSessionIdParam":"gsessionid","initMessageHeaders":{"X-Goog-Api-Client":"gl-js/ fire/8.3.2","X-Firebase-GMPID":"1:748589150774:web:46b259f11b4927aa971e97","Content-Type":"text/plain","Authorization":"Bearer eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJuYW1lIjoiT3R0ZXIgT2xpdmUiLCJlbWFpbCI6Im90dGVyLm9saXZlLjY0NEBleGFtcGxlLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJhdXRoX3RpbWUiOjE2MTc1NTAyOTcsInVzZXJfaWQiOiJoSmJYMm9PRkx6dVljcU1IZFZYYmRBTXAxZElPIiwiZmlyZWJhc2UiOnsiaWRlbnRpdGllcyI6eyJlbWFpbCI6WyJvdHRlci5vbGl2ZS42NDRAZXhhbXBsZS5jb20iXSwiZ29vZ2xlLmNvbSI6WyI4MjcyNzkyNzEwOTU2MjAwNTUwMTEwNTM4NzY2NzgyOTU5NDU2NTY0Il19LCJzaWduX2luX3Byb3ZpZGVyIjoiZ29vZ2xlLmNvbSJ9LCJpYXQiOjE2MTc1NTAyOTcsImV4cCI6MTYxNzU1Mzg5NywiYXVkIjoiZmlyZWRldi05YmQxYyIsImlzcyI6Imh0dHBzOi8vc2VjdXJldG9rZW4uZ29vZ2xlLmNvbS9maXJlZGV2LTliZDFjIiwic3ViIjoiaEpiWDJvT0ZMenVZY3FNSGRWWGJkQU1wMWRJTyJ9."},"messageUrlParams":{"database":"projects/.../databases/(default)"},"sendRawJson":true,"supportsCrossDomainXhr":true,"internalChannelParams":{"forwardChannelRequestTimeoutMs":600000},"forceLongPolling":true,"detectBufferingProxy":false,"httpHeadersOverwriteParam":"$httpHeaders"}
index.esm.js?abfd:106 [2021-04-04T15:50:19.091Z]  @firebase/firestore: Firestore (8.3.2): RemoteStore RemoteStore received new credentials
index.esm.js?abfd:106 [2021-04-04T15:50:19.092Z]  @firebase/firestore: Firestore (8.3.2): RemoteStore Stopping write stream with 1 pending writes
index.esm.js?abfd:106 [2021-04-04T15:50:19.093Z]  @firebase/firestore: Firestore (8.3.2): MemoryPersistence Starting transaction: Get next mutation batch
index.esm.js?abfd:106 [2021-04-04T15:50:19.093Z]  @firebase/firestore: Firestore (8.3.2): MemoryPersistence Starting transaction: Get next mutation batch
index.esm.js?abfd:106 [2021-04-04T15:50:19.094Z]  @firebase/firestore: Firestore (8.3.2): Connection Creating WebChannel: http://0.0.0.0:8080/google.firestore.v1.Firestore/Write/channel {"httpSessionIdParam":"gsessionid","initMessageHeaders":{"X-Goog-Api-Client":"gl-js/ fire/8.3.2","X-Firebase-GMPID":"1:748589150774:web:46b259f11b4927aa971e97","Content-Type":"text/plain","Authorization":"Bearer eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJuYW1lIjoiT3R0ZXIgT2xpdmUiLCJlbWFpbCI6Im90dGVyLm9saXZlLjY0NEBleGFtcGxlLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJhdXRoX3RpbWUiOjE2MTc1NTAyOTcsInVzZXJfaWQiOiJoSmJYMm9PRkx6dVljcU1IZFZYYmRBTXAxZElPIiwiZmlyZWJhc2UiOnsiaWRlbnRpdGllcyI6eyJlbWFpbCI6WyJvdHRlci5vbGl2ZS42NDRAZXhhbXBsZS5jb20iXSwiZ29vZ2xlLmNvbSI6WyI4MjcyNzkyNzEwOTU2MjAwNTUwMTEwNTM4NzY2NzgyOTU5NDU2NTY0Il19LCJzaWduX2luX3Byb3ZpZGVyIjoiZ29vZ2xlLmNvbSJ9LCJpYXQiOjE2MTc1NTAyOTcsImV4cCI6MTYxNzU1Mzg5NywiYXVkIjoiZmlyZWRldi05YmQxYyIsImlzcyI6Imh0dHBzOi8vc2VjdXJldG9rZW4uZ29vZ2xlLmNvbS9maXJlZGV2LTliZDFjIiwic3ViIjoiaEpiWDJvT0ZMenVZY3FNSGRWWGJkQU1wMWRJTyJ9."},"messageUrlParams":{"database":"projects/.../databases/(default)"},"sendRawJson":true,"supportsCrossDomainXhr":true,"internalChannelParams":{"forwardChannelRequestTimeoutMs":600000},"forceLongPolling":true,"detectBufferingProxy":false,"httpHeadersOverwriteParam":"$httpHeaders"}
index.esm.js?abfd:106 [2021-04-04T15:50:19.096Z]  @firebase/firestore: Firestore (8.3.2): PersistentStream stream callback skipped by getCloseGuardedDispatcher.
index.esm.js?abfd:106 [2021-04-04T15:50:19.097Z]  @firebase/firestore: Firestore (8.3.2): Connection Opening WebChannel transport.
index.esm.js?abfd:106 [2021-04-04T15:50:19.098Z]  @firebase/firestore: Firestore (8.3.2): Connection WebChannel sending: {"database":"projects/.../databases/(default)"}
index.esm.js?abfd:106 [2021-04-04T15:50:19.109Z]  @firebase/firestore: Firestore (8.3.2): Connection WebChannel transport opened.
index.esm.js?abfd:106 [2021-04-04T15:50:19.115Z]  @firebase/firestore: Firestore (8.3.2): Connection WebChannel received: {"streamId":"12","streamToken":"MA=="}
index.esm.js?abfd:106 [2021-04-04T15:50:19.116Z]  @firebase/firestore: Firestore (8.3.2): Connection WebChannel sending: {"streamToken":"MA==","writes":[{"update":{"name":"projects/.../databases/(default)/documents/polls/hS8rhYb6qPEwsK500ONQ/votes/hJbX2oOFLzuYcqMHdVXbdAMp1dIO","fields":{"ranking":{"arrayValue":{"values":[{"mapValue":{"fields":{"id":{"stringValue":"answer-4"},"rank":{"integerValue":"1"},"value":{"stringValue":"ezg"}}}},{"mapValue":{"fields":{"id":{"stringValue":"answer-3"},"rank":{"integerValue":"2"},"value":{"stringValue":"ez"}}}},{"mapValue":{"fields":{"id":{"stringValue":"answer-2"},"rank":{"integerValue":"3"},"value":{"stringValue":"fze"}}}},{"mapValue":{"fields":{"id":{"stringValue":"answer-1"},"rank":{"integerValue":"4"},"value":{"stringValue":"fzefez"}}}},{"mapValue":{"fields":{"id":{"stringValue":"answer-0"},"rank":{"integerValue":"5"},"value":{"stringValue":"zefzef"}}}}]}},"date":{"timestampValue":"2021-04-04T15:50:19.075000000Z"}}}}]}
index.esm.js?abfd:106 [2021-04-04T15:50:19.131Z]  @firebase/firestore: Firestore (8.3.2): Connection WebChannel received error: {"message":"PERMISSION_DENIED: \nfalse for 'create' @ L5","status":"PERMISSION_DENIED"}
index.esm.js?abfd:106 [2021-04-04T15:50:19.133Z]  @firebase/firestore: Firestore (8.3.2): PersistentStream close with error: FirebaseError: [code=permission-denied]: PERMISSION_DENIED: 
false for 'create' @ L5
index.esm.js?abfd:106 [2021-04-04T15:50:19.134Z]  @firebase/firestore: Firestore (8.3.2): MemoryPersistence Starting transaction: Reject batch
index.esm.js?abfd:106 [2021-04-04T15:50:19.171Z]  @firebase/firestore: Firestore (8.3.2): MemoryPersistence Starting transaction: Get next mutation batch

[paulovitin]

Same here... =/

[pikax]

I'm also having the same issue, just linking another issue here firebase/firebase-js-sdk#4721

[samtstern]

@jean-smaug thanks for reporting this, just 2 follow up questions:

1. Does this still happen if you remove firebase.firestore().settings({ experimentalForceLongPolling: true });?
2. Does this only happen with Google Auth or with all auth providers?

[pikax]

@jean-smaug thanks for reporting this, just 2 follow up questions:

1. Does this still happen if you remove firebase.firestore().settings({ experimentalForceLongPolling: true });?
2. Does this only happen with Google Auth or with all auth providers?

Not asked to me, but I can give my experience:

1. Yes, I don't have that call on my setup, also is happening on the alpha version https://modularfirebase.web.app/
2. It also happens with user/password, it seems the request.auth is always null

[jean-smaug]

@jean-smaug thanks for reporting this, just 2 follow up questions:

1. Does this still happen if you remove firebase.firestore().settings({ experimentalForceLongPolling: true });?
2. Does this only happen with Google Auth or with all auth providers?

I can confirm what @pikax said.

1. it still happen without experimentalForceLongPolling
2. I maid a quick test with anonymous auth and it's also generating an error

[zwily]

For me at least, it only happens with v8.3.2 of the Firebase js sdk. 8.3.1 works fine against current tools, so it may be an sdk regression.

[jean-smaug]

For me at least, it only happens with v8.3.2 of the Firebase js sdk. 8.3.1 works fine against current tools, so it may be an sdk regression.

Tested in 8.3.1 and it works well 👍

[samtstern]

Thanks for all the info everyone! Sounds like an issue with the JS SDK 8.3.2 release ... we're going to dig into it.

[yuchenshi]

Hi all, we've located the problem in Firestore Emulator and we are working on a fix. In the meantime, downgrading to Firestore JS SDK v8.3.1 is a possible workaround.

[yuchenshi]

This should be fixed in Firebase CLI v9.9.0.

[jean-smaug]

Solved by v9.9.0 thanks. 👍

[kroikie]

I'm still seeing this on 9.9.0 of the CLI with 8.4.1 of the SDK. Downgrading the SDK to 8.3.1 still works as a workaround for me.

[samtstern]

@yuchenshi we are continuing to get reports of this issue, from @kroikie as well as here:
firebase/firebase-js-sdk#4795 (comment)

Is there some other path we didn't consider?

[akauppi]

@kroikie Do you have a project where I could try to replicate the problem, or is it closed source? I'm struck by this, as Sam mentions, and wondering whether it's my system, my code, or what...

[markgoho]

@samtstern I'm also running into this issue with https://github.com/ideacrew/active-branch-tracker

feel free to clone, then (after npm i in the root and /functions dir) from the root of the project

1. npm run start:emulators (including some seed data and auth accounts)
2. npm run start:functions (written in TS)
3. npm run start:app

Log in with [email protected] pw: testuser

I have a few rules related to auth, and so with the help of the super handy debug function, here's the firestore-deub.log has for the request object:

Apr 21, 2021 4:05:46 PM io.gapi.emulators.netty.HttpVersionRoutingHandler channelRead
INFO: Detected non-HTTP/2 connection.
Apr 21, 2021 4:05:48 PM io.gapi.emulators.netty.HttpVersionRoutingHandler channelRead
INFO: Detected non-HTTP/2 connection.
Apr 21, 2021 4:05:48 PM com.google.net.webchannel.server.common.CorsFilter populateCustomHeaders
WARNING: Invalid $httpHeaders: X-Goog-Api-Client:gl-js/ fire/8.3.3
X-Firebase-GMPID:
Content-Type:text/plain
Authorization:Bearer eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJuYW1lIjoiVGVzdCBVc2VyIiwicGljdHVyZSI6Imh0dHBzOi8vaW1hZ2VzLnVuc3BsYXNoLmNvbS9waG90by0xNTM1NzEzODc1MDAyLWQxZDBjZjM3N2ZkZT9peGlkPU1Yd3hNakEzZkRCOE1IeHdhRzkwYnkxd1lXZGxmSHg4ZkdWdWZEQjhmSHclM0QmaXhsaWI9cmItMS4yLjEmYXV0bz1mb3JtYXQmZml0PWNyb3Amdz0xMDAmcT04MCIsInJvbGUiOiJhZG1pbiIsImVtYWlsIjoidGVzdHVzZXJAZXhhbXBsZS5jb20iLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImF1dGhfdGltZSI6MTYxOTAzNDMxMywidXNlcl9pZCI6InI5TWMwU2Fsc1VXNlEyblM0eDVudjd2UjdKZVMiLCJmaXJlYmFzZSI6eyJpZGVudGl0aWVzIjp7ImVtYWlsIjpbInRlc3R1c2VyQGV4YW1wbGUuY29tIl19LCJzaWduX2luX3Byb3ZpZGVyIjoicGFzc3dvcmQifSwiaWF0IjoxNjE5MDM0MzEzLCJleHAiOjE2MTkwMzc5MTMsImF1ZCI6ImFjdGl2ZS1icmFuY2hlcy1yZXBvcnQiLCJpc3MiOiJodHRwczovL3NlY3VyZXRva2VuLmdvb2dsZS5jb20vYWN0aXZlLWJyYW5jaGVzLXJlcG9ydCIsInN1YiI6InI5TWMwU2Fsc1VXNlEyblM0eDVudjd2UjdKZVMifQ.

map_value {
  fields {
    key: "auth"
    value {
      null_value: NULL_VALUE
    }
  }
  fields {
    key: "fields"
    value {
      null_value: NULL_VALUE
    }
  }
  fields {
    key: "headers"
    value {
      map_value {
      }
    }
  }
  fields {
    key: "inTransaction"
    value {
      bool_value: false
    }
  }
  fields {
    key: "method"
    value {
      string_value: "get"
    }
  }
  fields {
    key: "path"
    value {
      path_value {
        segments {
          simple: "databases"
        }
        segments {
          simple: "(default)"
        }
        segments {
          simple: "documents"
        }
        segments {
          simple: "users"
        }
        segments {
          simple: "r9Mc0SalsUW6Q2nS4x5nv7vR7JeS"
        }
      }
    }
  }
  fields {
    key: "time"
    value {
      timestamp_value {
        seconds: 1619035548
        nanos: 467000000
      }
    }
  }
}

Apr 21, 2021 4:05:48 PM io.gapi.emulators.netty.HttpVersionRoutingHandler channelRead
INFO: Detected non-HTTP/2 connection.

[samtstern]

@akauppi @markgoho @kroikie we found the problem and have a fix. It's being fixed in two places:

1. Don't send empty GMPID header firebase-js-sdk#4810
2. Update Firestore emulator to v1.11.15 #3297

Right now neither fix has been released but when the next JS SDK and Emulator release go out either fix should be sufficient to stop this issue from happening.

Right now the only workaround is to downgrade your JS SDK to 8.3.1 or lower, as mentioned.

[akauppi]

@samtstern Appreciating that the fix was found. Is there any estimate you can share about the release to the users? April or May?

[samtstern]

@akauppi can't promise anything! We don't have fixed release timelines. If you look at our history though you can see we do releases every 1-2 weeks: https://github.com/firebase/firebase-tools/releases

So I don't think you'll have to wait long.

[IdanCo]

I'm assuming it still hasn't been merged since I'm having this problem on a fresh project.

One question though - how do I downgrade the JS SDK to 8.3.1 or lower?
Is it a dependency of the global firebase-tools or is a dependency in my functions folder?

update: stupid me, it was the angular client. Downgraded, works great!

[bdetry]

Still have the issue with firebase cli 9.12.1.

Had to downgrade firebase JS to 8.3.1 to make it work but with that version it tries to verify the user online and not with the emulator

[GustavoCostaW]

same issue here as well with "firebase": "^7.0 || ^8.0",

[louis030195]

Same here

Firebase CLI: 9.16.5

Functions: firebase-admin: 9.11.0

Client: firebase: 8.10.0

Platform: MacOS Big Sur 11.5.2

https://stackoverflow.com/questions/68892861/firebaseerror-permission-denied-when-all-permissions-allowed-emulator?noredirect=1#comment121754479_68892861

UPDATE: solved with client 8.3.1

[gthemiller]

Hi! How is this still a thing?

[yuchenshi]

@gthemiller The original issue has been resolved and closed. Please kindly open a new issue and provide details using the template if you're still experiencing this issue. Thanks!

[goofballLogic]

Also still seeing this sporadically. One system it works fine, another request.auth is always null

[NayamAmarshe]

I fixed my issue this way:

1. Uninstalled the Firebase CLI: curl -sL firebase.tools | uninstall=true bash
2. Reinstalled it.
3. Deleted ~/.cache/firebase.

The error disappeared :D

[tonioloewald]

@NayamAmarshe this is actually the correct answer and you win one internet. Also note that you may need to upgrade Java after doing this.

The reason it works is that firebase-tools caches the emulator binaries in the directory and upgrading firebase-tools doesn't automatically blow away the old emulator binaries.

[polRk]

I have the same problem with auth rules.