Randomly: Firebase ID Token has expired

1,641 views
Skip to first unread message

mi...@tocca.io

unread,
Oct 30, 2018, 5:30:14 PM10/30/18
to Firebase Google Group
Hello,

Over the past couple of weeks, I've seen about half a dozen random and unreproducible crashes in Functions that come with an error message saying that the Firebase ID Token is expired. In our client, we always request a new token, forcing a refresh, before sending a request to the backend.  I paid a bit more attention to the most recent one.  It came from Admin, after we had successfully uploaded a file to a storage bucket, and were then attempting to create a PubSub for further processing.  At this point, there was no client interaction, and the client was clearly able to authenticate successfully to get to this point.  So it was purely a backend crash at a point where the ID token shouldn't matter.  Any ideas about this?  We are using version 5.1.1 of tools, etc.

Thanks!
-Miles

Kato Richardson

unread,
Nov 1, 2018, 11:41:14 AM11/1/18
to fireba...@googlegroups.com
Hi Miles,

An invalid id token doesn't cause any sort of crash in Functions. That sounds like a coding issue.

As for why the token is has expired, that's hard to say. I'd guess that the client is running into a coding bug or caching issue that's causing it to send the old token. Perhaps a race condition where it sends the token before the forced refresh completes. Hard to guess without code.

☼, Kato

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/714afb53-18cf-4c93-b6e5-48ce0ba7568d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


--

Kato Richardson | Developer Programs Eng | kato...@google.com | 775-235-8398

mi...@tocca.io

unread,
Nov 2, 2018, 3:25:46 AM11/2/18
to Firebase Google Group
For reference, here's what shows up in the logs:

3:54:05.325 PM:
Error while verifying Firebase ID token: { Error: Firebase ID token has expired. Get a fresh token from your client app and try again (auth/id-token-expired). See https://firebase.google.com/docs/auth/admin/verify-id-tokens for details on how to retrieve an ID token.
    at FirebaseAuthError.FirebaseError [as constructor] (/srv/node_modules/firebase-admin/lib/utils/error.js:39:28)
    at FirebaseAuthError.PrefixedFirebaseError [as constructor] (/srv/node_modules/firebase-admin/lib/utils/error.js:85:28)
    at new FirebaseAuthError (/srv/node_modules/firebase-admin/lib/utils/error.js:143:16)
    at /srv/node_modules/firebase-admin/lib/auth/token-verifier.js:194:35
    at Object.module.exports [as verify] (/srv/node_modules/jsonwebtoken/verify.js:126:14)
    at /srv/node_modules/firebase-admin/lib/auth/token-verifier.js:183:17
    at new Promise (<anonymous>)
    at FirebaseTokenVerifier.verifyJwtSignatureWithKey (/srv/node_modules/firebase-admin/lib/auth/token-verifier.js:182:16)
    at /srv/node_modules/firebase-admin/lib/auth/token-verifier.js:166:30
    at <anonymous>
  errorInfo: 
   { code: 'auth/argument-error',
     message: 'Firebase ID token has expired. Get a fresh token from your client app and try again (auth/id-token-expired). See https://firebase.google.com/docs/auth/admin/verify-id-tokens for details on how to retrieve an ID token.' },
  codePrefix: 'auth' }

3:54:05.327 PM
Unhandled rejection

3:54:05.328 PM
TypeError: Cannot read property 'end' of undefined
    at firebase.admin.auth.verifyIdToken.then.catch (/srv/index.js:74:71)
    at <anonymous>
    at process._tickDomainCallback (internal/process/next_tick.js:228:7)
mi...@tocca.io
unread,
Nov 2, 2018, 3:25:46 AM11/2/18
to Firebase Google Group
Hi Kato,

Thanks for the response.  All of the error messages and the crash were coming from Firebase Auth, not from any of our functions.  Additionally, none of the stack traces referenced any calling code in our functions.  So if it is something on our end, that makes it exceptionally difficult to attempt to debug.

Thanks,
-Miles


On Thursday, November 1, 2018 at 8:41:14 AM UTC-7, Kato Richardson wrote:
Kato Richardson
unread,
Nov 2, 2018, 5:31:28 PM11/2/18
to fireba...@googlegroups.com
Yeah, that does seem frustrating. But the stack looks about right for an invalid token. The verifyIdToken() method does indeed reject the promise in that case, which leads to the .catch() block.

It looks like the .catch() method off of verifyIdToken() is looking for "end" and that doesn't exist, which seems to be the crux of the problem.

☼, Kato






To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/68f60ce2-4a23-404a-8ca0-cd58bc4714bc%40googlegroups.com.


For more options, visit https://groups.google.com/d/optout.


Reply all
Reply to author
Forward
0 new messages