I am unable to get the idToken returned by getIdToken()

[iataand]

Hi,

I am using a session cookie in my application in order to manage user sessions obtained using createSessionCookie. This method takes in an idToken(not uid) that I am creating using signInWithPopup.

const userData = await signInWithPopup(auth, googleAuthProvider);
const idToken = await userData.user.getIdToken();

const sessionCookie = await adminAuth.createSessionCookie(idToken, ...);

I am trying to replicate the same flow in a test and I am unable to figure out a way to get the idToken. All of the methods are returning only uid, email or displayName. Am I missing something?

[prescottprue]

I don't think we have createSessionCookie exposed at this point - this is part of the firebase-admin SDK though, so is this being done client side or server side within your app? If it is happening server side then you will most likely want your test to trigger that logic on you server instead of trying to mock that within Cypress. I'm not sure how it would be happening client side (though that is where signInWithPopup is from). Are you passing the id token to your backend?

Generally for auth cy.login is used which generates a custom auth token via firebase-admin (all internal to cypress-firebase). Once the user is authenticated it would mirror the sign in with popup (without needing to sign in via the popup), and getIdToken should still work to get an id token of the user after being authenticated - then passing to a backend should work the same way.

Maybe I'm misunderstanding? Are you able to provide an example repo where you are doing this logic in an app and a Cypress test you are trying to write to confirm it?

[iataand]

Yes, you are correct. I am passing the idToken to a next.js api route and and calling createSessionCookie server-side (like this). cy.login works but it doesn't actually return the idToken that I need. The logic that triggers the serverside call to generate the cookie is happening after the login button is pressed inside the popup, and I can't trigger that logic from the test.

Here is the actual example in my repo.

getIdToken should still work to get an id token of the user after being authenticated

Where would I call the getIdToken method? I am a bit confused.

In the test I am trying to do something like this:

cy.request( 'api/login', body: {
   idToken: idToken
});

And inside the api route:

const sessionCookie = await adminAuth.createSessionCookie(idToken, {
      expiresIn,
    });
const cookieStore = await cookies();
cookieStore.set("sessionCookie", sessionCookie, {
  httpOnly: true,
  secure: true,
});

If it is happening server side then you will most likely want your test to trigger that logic on you server instead of trying to mock that within Cypress

I am not trying to mock it. You are right again. Sorry If I am not too coherent in my explanations. I honestly have almost no clue what I am doing.

[prescottprue]

No worries, auth stuff can be difficult especially when mixing custom stuff with Firebase. A few questions:

• Are you trying to test your login page itself in your Cypress test or are you trying to test another part of the application that needs authentication? I ask because cy.login should get you authenticated in the Firebase sdk, then you let your app handle the back and forth with your backend (instead of doing that manually in Cypress)
• What exactly is the goal of the session cookie vs just having Firebase's SDK manage the session for you? And using firebase.auth().currentUser.getIdToken to get a token which you verify in your backend endpoints via firebase-admin's verifyIdToken? (as described in the Firebase docs here). Maybe I'm misunderstanding what you are going for, but I find it easier to have Firebase's SDK manage the auth session for you instead of messing with cookies yourself. As seen in this functions example if you need to you can fallback to the session cookie that the SDK sets itself - totally up to you, but I ask because once you are authenticated with cy.login (which is authenticating with a custom auth token) the Firebase JS SDK will function the same as if you had really logged in

[iataand]

I think I should have cleared out this from the start. I am using Next.js, and the the purpose of the cookie validation is to have a way to handle auth state in server components. I don't really have a traditional backend as I think you have assumed.

• I am trying to test an entire flow in my app, not just the login. Cy.login works in my test however I am unable to make the call to the endpoint that sets the cookie. So even though I am getting an authenticated state from the SDK client-side, I am unable to navigate to protected routes in my app because the cookie validation fails.
• I am using this session cookie method because I am using Next.js and I need a way to handle authentication state inside server components. The Firebase's SDK only works client-side(at least from my understanding). I can't figure out a better way to do this.

if you need to you can fallback to the session cookie that the SDK sets itself

Are you sure that the SDK sets an actual cookie? I am unable to find something other than a localstorage entry in Dynamic DB. And I can't access localstorage in server component.