node.js - SSR Auth through FirebaseServerApp fails when using Website restrictions on Firebase API keys - Stack Overflow

I am trying to get server-rendered data containing user information. I am using a service worker to attach an "Authorization" header including the Firebase Auth idToken as described in Firebase tutorials. On the server I am initializing a FirebaseServerApp instance to verify the idToken from the headers. I can verify that the token is passed to the server by printing it in the logs.

When the Firebase API keys are unrestricted (in GCP > APIs & Services > Credentials > "[Browser key (auto created by Firebase)" > Application restrictions > Websites) the code works fine and the current user uid is included in the server-rendered components. Adding the Website restrictions with the domain of the deployed app (without code changes) breaks the SSR Auth with the following error: auth/requests-from-referer-<empty>-are-blocked. I can verify that the "referer" header is included with the value listed in the GCP Website restriction.

Error after adding restrictions:

FirebaseServerApp could not login user with provided authIdToken:  Error [FirebaseError]: Firebase: Error (auth/requests-from-referer-<empty>-are-blocked.).
    at m (.next/server/chunks/977.js:16:141895)
    at f (.next/server/chunks/977.js:16:141425)
    at T (.next/server/chunks/977.js:16:147152)
    at async eu.initializeCurrentUserFromIdToken (.next/server/chunks/977.js:16:168130)
    at async (.next/server/chunks/977.js:16:167600) {
  code: 'auth/requests-from-referer-<empty>-are-blocked.',
  customData: {}
}

I am trying to get server-rendered data containing user information. I am using a service worker to attach an "Authorization" header including the Firebase Auth idToken as described in Firebase tutorials. On the server I am initializing a FirebaseServerApp instance to verify the idToken from the headers. I can verify that the token is passed to the server by printing it in the logs.

When the Firebase API keys are unrestricted (in GCP > APIs & Services > Credentials > "[Browser key (auto created by Firebase)" > Application restrictions > Websites) the code works fine and the current user uid is included in the server-rendered components. Adding the Website restrictions with the domain of the deployed app (without code changes) breaks the SSR Auth with the following error: auth/requests-from-referer-<empty>-are-blocked. I can verify that the "referer" header is included with the value listed in the GCP Website restriction.

Error after adding restrictions:

FirebaseServerApp could not login user with provided authIdToken:  Error [FirebaseError]: Firebase: Error (auth/requests-from-referer-<empty>-are-blocked.).
    at m (.next/server/chunks/977.js:16:141895)
    at f (.next/server/chunks/977.js:16:141425)
    at T (.next/server/chunks/977.js:16:147152)
    at async eu.initializeCurrentUserFromIdToken (.next/server/chunks/977.js:16:168130)
    at async (.next/server/chunks/977.js:16:167600) {
  code: 'auth/requests-from-referer-<empty>-are-blocked.',
  customData: {}
}

• node.js
• firebase-authentication
• firebase-admin

Share Improve this question Follow edited Feb 17 at 2:04 samurai jack asked Feb 2 at 8:25 samurai jacksamurai jack 41111 gold badge88 silver badges1212 bronze badges 2

• 1 On Stack Overflow, do not require the reader to use links to external information. Everything should be in the question itself so future readers always have immediate access to it. If you have code, copy and paste it into the question so it's easy to read, copy, and search. – Doug Stevenson Commented Feb 2 at 14:16
• I'll update the question. – samurai jack Commented Feb 4 at 14:06

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 0

Got a reply from Google Support saying that SSR with Website restriction is not yet available on Firebase App Hosting. They suggested switching to their older product, Firebase Hosting.