"Missing or insufficient permissions" when upgrading above 9.16.0 for security rules

[MvRemmerden]

After upgrading next-firebase-auth to 1.0.2 and following the new way of initializing the firebase app before NFA, I now get "Missing or insufficient permissions" if I use firebase 9.17.1, but it works as expected when I use 9.16.0.

Did this maybe not get caught in the example app, because there are no security rules?

[kmjennison]

That's possible. Are you using the default Firebase app? Could you try removing all properties except apiKey from firebaseClientInitConfig in the NFA config, just to make sure NFA is using the same Firebase app that you initialize?

[MvRemmerden]

@kmjennison You might be onto something here, when I remove all other properties I'm getting this error:

FirebaseError: Firebase: Firebase App named '[DEFAULT]' already exists with different options or config (app/duplicate-app).

[MvRemmerden]

@kmjennison I created a super minimal reproduction in my fork https://github.com/MvRemmerden/next-firebase-auth.

In the example folder, I only added one file (pages/logged-in-client.tsx) where you can see that with 9.17.1 or 10.0.0 you will always run into "Missing or insufficient permissions". The only fix I could find so far was downgrading to 9.16.0.

I suppose that means the problem must have been introduced somewhere in the changes between 9.16.0 and 9.17.1: firebase/firebase-js-sdk@firebase@9.16.0...firebase@9.17.1

These are the database content and rules:

rules_version = '2';

service cloud.firestore {
  match /databases/{database}/documents {
    match /{path=**}/public/{id} {
      allow read;
    }
    match /{path=**}/protected/{id} {
      allow read: if request.auth != null;
    }
  }
}

I can also add my firebase configuration, but then I would have to make the repository private and invite you. Just let me know what you prefer.

[MvRemmerden]

Interestingly I just noticed there is one way to make the content under /logged-in-client appear without error. If you try to reach the page while being unauthenticated, get redirected to the login where you enter your information, and then get redirected back to /logged-in-client, it works as expected~

However, as soon as you refresh the page, you will from then on always get the same Missing or insufficient permissions error again.

[MvRemmerden]

Sadly it does not look like this issue got fixed by #716 😞

[MvRemmerden]

@kmjennison I've been starting to look into it, as that switch from 9.16.0 to 9.17.1 seems to break a lot of things, and I think it will be important to fix this.

As you have a way better understanding about the flow and connections, do you have any pointers or assumptions what the underlying problem might be, that could help a lot speed up the investigation process.

[kmjennison]

@MvRemmerden I don't, unfortunately, and don't have much spare time to dedicate at the moment. Sorry about that! I'll try to answer questions and jump in when I can.

[MvRemmerden]

@kmjennison I just noticed #669, where I think you started to explore this already.

Is this in Draft mode because it just needs to be finished off but already works, or did the changes there not end up fixing the problems when upgrading to 9.17.1?

[kmjennison]

I wasn't able to identify the issue (likely something with bundles/builds), which is why we switched to recommend explicitly initializing Firebase: #614 (comment)