getting error : Your client does not have permission to get URL in firebase functions

Question

i am new in firebase, i have deploy one function, and it is using get method,

https://us-central******.cloudfunctions.net/addMessage

when i try to run this api, i am getting below error

Error: Forbidden
Your client does not have permission to get URL /addMessage from this server.

Can anyone please help me to resolve this issue ?

exports.addMessage = functions.https.onRequest(async (req, res) => {
    // Grab the text parameter.
    const original = req.query.text;
    // Push the new message into the Realtime Database using the Firebase Admin SDK.
    const snapshot = await admin.database().ref('/messages').push({ original: original });
    // Redirect with 303 SEE OTHER to the URL of the pushed object in the Firebase console.
    res.redirect(303, snapshot.ref.toString());
});

Answer 1

I encountered a similar issue with a new function I added to a project that already contained several functions that didn't have any issues. Upon calling the new function I received a 401 Unauthorized with an HTML body:

<html><head>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<title>401 Unauthorized</title>
</head>
<body text=#000000 bgcolor=#ffffff>
<h1>Error: Unauthorized</h1>
<h2>Your client does not have permission to the requested URL <code>/myNewFunction</code>.</h2>
<h2></h2>
</body></html>

In the Google Cloud Console page for the Function details, under the Permissions tab, I noticed it lacked the "Cloud Functions Invoker" role for the "allUsers" principal that was included in all other functions. Adding it manually didn't yield effect. I then recalled that I aborted the first deploy attempt of the function and only fully deployed it later, which probably has put the function in some unexpected state.

I removed the function and deployed it again. It now included the "Cloud Functions Invoker" permission and it no longer returned a 401.

Answer 2

It can also happen, if you use the wrong subpath. For me the url was somehow wrong, instead of resendConfirmEmail it tried to call resendConfirmEmail%20. That function didn't exist and google responded with 403:

https://europe-west1-my-project.cloudfunctions.net/resendConfirmEmail%20?userId=imFeBoV...&email=gr...%40...com

when it should have been:

https://europe-west1-my-project.cloudfunctions.net/resendConfirmEmail?userId=imFeBoV...&email=gr...%40...com

Answer 3

After trying to delete individualy functions and uploading them again ultimately i had to delete all of the previously deployed functions and deploy them all.

Once i'd done that a couple of times, the functions deployed.

There are two possible causes i can think of that was causing this, both very ambiguous.

1. I found that there was one offending file, and the only thing that fixed the deploy was to change the length of the file name. Yes, the length of the filename. One character too long and the deployment failed. If this was a windows 95 machine i'd have said the inheritance chain path was too long for the compiler. However, compiliation and running on the emulator worked fine. So who knows.

2. I had tried to set up cloud build, and left that part half finished. I had updated the .firebaserc as a part of that. Perhaps, just perhaps, the deployment didn't like the fact the default projects list had changed, and didn't match the existing functions.

I'm totally guessing as to the cause, but because the error is so ambiguous, with no apparent cause, figued this might help people find the cause.

Answer 4

I ran into this (or a very similar problem) today. When I invoked one of my functions from Postman, I got:

<html>

<head>
    <meta http-equiv="content-type" content="text/html;charset=utf-8">
    <title>401 Unauthorized</title>
</head>

<body text=#000000 bgcolor=#ffffff>
    <h1>Error: Unauthorized</h1>
    <h2>Your client does not have permission to the requested URL
        <code>/myApi/somePath?</code>.</h2>
    <h2></h2>
</body>

</html>

I try redeploying the functions but that didn't work.

Solution: Delete your functions and deploy them again.

What I did was:

1. Exported a single dummy function from functions/index.ts and removed my original functions.
2. Deployed. That deleted my original functions.
3. Verified that the dummy function worked well.
4. Restored my original functions and deployed again.
5. Verified that my original functions worked.

Background and possible cause

I had a new Firebase project and I tried to deploy my functions many times but got some errors related to permissions. I guess that left the functions in a weird state...

I managed to deploy the functions successfully later, but they were not in a good state and I got that error response from Postman when I called one of them.

The errors I got were the following:

Error 1:

Error: Missing permissions required for functions deploy. You must have permission iam.serviceAccounts.ActAs on service account some-sa@appspot.gserviceaccount.com.

Error 2:

Error: Missing permissions required for functions deploy. You must have permission iam.serviceAccounts.ActAs on service account some-sa@appspot.gserviceaccount.com.

Error 3:

Unable to set the invoker for the IAM policy on the following functions:
        someFunction1(us-central1)
        someFunction2(us-central1)

Some common causes of this:

- You may not have the roles/functions.admin IAM role. Note that roles/functions.developer does not allow you to change IAM policies.

Answer 5

From the doc, argument --allow-unauthenticated:

Specifies that the function does not require authentication to invoke. By default HTTP functions require authentication. If you do not include this flag the first time you deploy an HTTP function, you are prompted to allow unauthenticated invocations. You are not prompted on subsequent invocations.

So, you need to deploy the cloud functions with this argument if you don't need authentication. E.g.

A simple cloud function, index.js:

exports.helloHttp = (req, res) => {
  res.send(`Hello ${req.body.name || 'World'}!`);
};

Deploy without --allow-unauthenticated:

gcloud beta functions deploy helloHttp --trigger-http --runtime nodejs10

When you access the endpoint of this cloud function: https://us-central1-xxxx-218801.cloudfunctions.net/helloHttp. You will get this 403 Forbidden error:

Error: Forbidden Your client does not have permission to get URL /helloHttp from this server.

Deploy with --allow-unauthenticated:

gcloud beta functions deploy helloHttp --trigger-http --runtime nodejs10 --allow-unauthenticated

You will get access the endpoint without authentication.

Hello World!