auth_time doesn't match user's lastSignInTime (always matches iat instead)

[lovelle-cardoso]

[REQUIRED] Describe your environment

• Operating System version: Windows 10 Home Version 20H2, Build 19042.1052
• Browser version: Chrome Version 91.0.4472.164 (64-bit)
• Firebase SDK version: firebase 9.0.0-beta.6
• Firebase Product: Firestore Emulator, Database Emulator, Storage Emulator

[REQUIRED] Describe the problem

According to the documentation, auth_time should match the user's last sign in time, and iat should match the time this token was issued. This means auth_time should only be updated once, when the user signed in, and iat should change every hour when a new token is issued. This is not the case however. Despite what the documentation says, auth_time changes every hour at the same time as iat. This means auth_time always matches iat, and can't be used in security rules to check the time the user last signed in

https://firebase.google.com/docs/reference/admin/node/admin.auth.DecodedIdToken#auth_time

Steps to reproduce:

1. Create the following firestore.rules file

rules_version = '2';
service cloud.firestore {
   match /databases/{database}/documents {
    allow read, write: if request.auth != null && request.auth.token.auth_time < request.auth.token.iat;
  }
}

2. Use npm run serve to run the new rules in your local emulators
3. Sign in as a user on your client app.

Expected Result:

All reads and writes should fail for about the first hour. But after an hour has passed (and firebase has automatically issued the user a new token) the reads and writes should start succeeding

Actual Result:

All reads and writes fail forever. This is because auth_time always changes in lock-step with iat, despite the documentation saying that auth_time should remain stable after login and only iat should change every hour.

[looptheloop88]

Hi @lovelle-cardoso, thanks for the report. To isolate the issue, are you only experiencing this issue using an emulator? I tried connecting or using the production (not emulator) instance and I was able to write Firestore data successfully after an hour.

[lovelle-cardoso]

@looptheloop88 It's an emulator only issue I believe.

[looptheloop88]

Hi @lovelle-cardoso, thanks for the confirmation. Let me check this out with our engineers here and update this thread if I have any information to share. Thanks.

[looptheloop88]

Thanks for patiently waiting. I have filed an internal bug (b/194700929) for this issue. I will keep this thread posted for any updates or if I have any other information to share.

[yuchenshi]

The Auth Emulator doesn't accurately emulate auth_time behavior right now -- we just picked something that works for most use cases. Thanks for bring this up to our attention.

As @looptheloop88 noted, we now track this internally for a fix. We are unable to promise any timeline for this, but if others also have this issue, adding a +1 on this issue can help us prioritize adding this to the roadmap.

[yuchenshi]

Looks like the problematic line is

firebase-tools/src/emulator/auth/operations.ts

Line 1729 in e4ab4cc

auth_time: toUnixTimestamp(new Date()),

-- we're also happy to review a PR with the fix and tests.

[lovelle-cardoso]

@looptheloop88 @yuchenshi All right I've submitted a PR with a fix and added a unit test for it: #3610

^ Actually, had to delete that PR and make a new one here since my commit author wasn't correct: #3611

[lovelle-cardoso]

@looptheloop88 @yuchenshi PR with fix and unit test is here: #3611