Problem getting a refresh token

[moises-marquez]

Yesterday I followed the example for next-firebase-auth and managed to successfully sign in/out; and today while trying to move the api routes to Fastify, I get the following error when logging in:

Problem getting a refresh token: {"error":{"code":400,"message":"INVALID_CUSTOM_TOKEN","errors":[{"message":"INVALID_CUSTOM_TOKEN","domain":"global","reason":"invalid"}]}}

I thought it was yet another issue of migrating the api routes to Fastify, but after reverting the changes and using Next.js api routes again, I see that the same error is being thrown.

Unfortunately I couldn't find anything on the next-firebase-auth documentation about refresh tokens. Do you have any clue on what the issue might be?

[kmjennison]

Does it work if you clear local data (including cookies) on your app, in case the cookie data is malformed/incorrect for some reason? Can you provide any code to reproduce the issue?

This library does sign in with a custom token to get a Firebase refresh token, which it uses to refresh the ID token on the server side. See the code here. The INVALID_CUSTOM_TOKEN error you're seeing is likely coming from that Google API call.

[moises-marquez]

Nope, it didn't help to clear the local data :(. Dunno if it helps, but the cookie was being set for the authdomain rather than for localhost.

As for my code, everything looks exactly like the example with just minor changer to execute the requests from Fastify:

initAuth.js looks like this:

const initAuth = () => {
    init({
        debug: false,
        authPageURL: '/auth',
        appPageURL: '/',
        loginAPIEndpoint: '/authapi/login',
        logoutAPIEndpoint: '/authapi/logout',
        ....

And my endpoints in Fastify:

fastify.post('/authapi/login', async (req, reply) => {
        try {
            await setAuthCookies(req, reply.raw)
        } catch (e) {
            // eslint-disable-next-line no-console
            console.error(e)
            return reply.code(500).header('Content-Type', 'application/json; charset=utf-8').send({ error: 'Unexpected error.' })
        }
        return reply.code(200).header('Content-Type', 'application/json; charset=utf-8').send({ status: true })
    })

    fastify.post('/authapi/logout', async (req, reply) => {
        try {
            await unsetAuthCookies(req, reply.raw)
        } catch (e) {
            // eslint-disable-next-line no-console
            console.error(e)
            return reply.code(500)
                .header('Content-Type', 'application/json; charset=utf-8')
                .send({ error: 'Unexpected error.' })
        }
        return reply.code(200).header('Content-Type', 'application/json; charset=utf-8')
            .send({ status: true })
    })

[kmjennison]

Your config looks OK to me.

You might try inspecting the custom token to see what's happening (by forking or modifying this library). For example, some people seem to run into this when their server time is incorrect. Or, you might try starting fresh with the example in this repo.

Hope you're able to identify the issue. I'll help where I can, though I unfortunately don't have much time to help investigate particular implementation problems.

[davscro]

I am having the same issue, just running the example project triggers the same while hitting /login api route 🤔

[davscro]

Ups, just found that I was using wrong FIREBASE_CLIENT_EMAIL instead of one from generated private key file I used the one specified in the firebase project.
The error has gone once I put correct email 🤗

[moises-marquez]

Good catch, davscro! I didn't notice that I reverted that from the .env file.

[timminata]

Thanks! I made this mistake as well 🤦 Appreciate the fix 👍

[DragoshDX]

davscro you really saved my day !!!

It is unfortunately unclear what email that thing wants in there, but yeah, as soon as used the client email that I had in my service account JSON file.

I have a follow-up, please let me know if I should open up a new discussion, can't we just set
GOOGLE_APPLICATION_CREDENTIALS and then just set the local path tot he json file (and of course then we set it up as a Vercel secret, with the whole JSON, unparsed)

I'm wondering if that might fix that issue the repo mentions around Vercel hosting

I am still researching it (will return with knowledge) but any insight would be appreciated.

[DragoshDX]

So far I only got:
FirebaseAppError: Service account object must contain a string "project_id" property.

When I just use GOOGLE_APPLICATION_CREDENTIALS

Maybe the process of adopting this package would be easier if that generic google env key would work?