Firebase Function Session Cookie is not defined on subdomain

Question

I try to get the Firebase Session Cookies to work to keep one Auth across all the subdomains.

Now I have the Subdomain accounts.mysite.com where I have the Cloud Functions routed to as well as the login forms. After registering there I call my Cloud Function:

app.get("/authenticate/sign-in-user",  async (req:Request, res:Response) => {
    const idToken = req.query.token as string;
    const expiresIn = 60 * 60 * 24 * 5 * 1000;
    let sessionCookie;

    try {
        sessionCookie = await auth.createSessionCookie(idToken, { expiresIn,});
    } catch (e) {
        res.status(401).end("Invalid ID Token");
    }

    const options = {
        maxAge: expiresIn,
        httpOnly: true,
        secure: false,
        domain: ".mysite.com",
    };

    res.cookie("__session", sessionCookie, options);

    res.end(JSON.stringify({ status: "success" }));
});

That works perfect and the session cookie is set, now on my function which checks if the cookie is valid and returns the data:

app.get("/authenticate/check-user", async (req:Request, res:Response) => {
    try {
        const sessionCookie = req.cookies.__session || '';
        if (!sessionCookie) res.status(403).send('No Cookie found.');

        console.log(sessionCookie);
    
        const decodedClaims = await admin.auth().verifySessionCookie(sessionCookie, true);
        console.log(decodedClaims);
        res.end(JSON.stringify(decodedClaims));
    }
    catch (e) {
        res.status(401).send('The found Cookie is not valid')
    }
});

This works fine if I call it right from the accounts.mysite.com but when I wanna call the check-user function while on a subdomain like hello.mysite.com I always get a 403 Error back.

Inspecting the Site the Cookie is set currently so I am not sure why its not readable in the Cloud Function.

Firebase Function Session Cookie is not defined on subdomain

Answers (1)

Related Questions