HTTP limitations? (DEF-3410) (SOLVED)

britzl · August 17, 2018, 9:03pm

Yes, I did a similar test and found that we limit the path to 512 characters. This obviously needs to be fixed. I created a ticket to track this: DEF-3410. It should be an easy fix but I can’t make any promises as to when we will release it.

Does Firebase support an auth token header perhaps?

britzl · August 17, 2018, 9:10pm

Yes, it’s basically this:

char m_Path[512];

Should only be a matter of increasing to something a bit larger, say 2048. 2048 seems like a reasonable value based on this: https://stackoverflow.com/a/417184/1266551

jonnyleeharris · August 17, 2018, 9:38pm

I’ll take a look into workarounds - but unfortunately I don’t think they do.

At least I know what’s causing the problem and if you have a fix in the works I can sleep easy!

Thanks

britzl · August 18, 2018, 9:37am

This page seems to indicate support for an auth header, but I couldn’t get it to work:

https://firebase.google.com/docs/database/rest/auth#authenticate_with_an_access_token

Am I looking at the wrong docs?

jonnyleeharris · August 18, 2018, 10:30am

That’s the right page, but there are two ways to authenticate.

You can use a header to authenticate with Google OAuth2 access tokens, typically used on a server - which gives you full read and write access to the database.

If you want to authenticate with Firebase ID tokens, which are used for authenticating users - you must append the auth parameter to the request.

britzl · August 18, 2018, 8:00pm

Ah, gotcha! Ok, we’ll have to wait for an engine fix. If there’s no side-effects of increasing that array then it’s released in a weeks time (1.2.135).

britzl · August 28, 2018, 4:23am

Released in 1.2.135

jonnyleeharris · September 13, 2018, 5:13pm

Hey, got back from my vacation and tried it out.

Unfortunately I am still having issues, but this time not with the length of the URL.

After playing around I am seeing errors from the REST API endpoint that are consistent with an incorrect auth key being passed in the URL (unlike before, it was a malformed/short one). From what I can see, this indicates that Defold might be doing some encoding of its own to the URL. Is there any way you can verify this? Thanks!

EDIT: When using Postman Echo, it does appear that the auth token passed IS correct. So my hypothesis on what is causing the issue is likely incorrect.

jonnyleeharris · September 13, 2018, 5:27pm

A sample URL:

https://triggered-d1327.firebaseio.com/user_saves/X4Rj7Jht8EfLVJWgOLOW6Lg5hbs1/base_64_encoded_save.json?auth=eyJhbGciOiJSUzI1NiIsImtpZCI6IjBmNTVkZWZlOWU5YzU2ZmRhZTRkOGY0MDFjZjQ5Njc4YzE2N2MzYWEifQ.eyJpc3MiOiJodHRwczovL3NlY3VyZXRva2VuLmdvb2dsZS5jb20vdHJpZ2dlcmVkLWQxMzI3IiwibmFtZSI6IkpvbmF0aGFuIEhhcnJpcyIsInBpY3R1cmUiOiJodHRwczovL2dyYXBoLmZhY2Vib29rLmNvbS8xMDE1NjM2ODg0NTY3NTQzNS9waWN0dXJlIiwiYXVkIjoidHJpZ2dlcmVkLWQxMzI3IiwiYXV0aF90aW1lIjoxNTM2ODU4ODgyLCJ1c2VyX2lkIjoiWDRSajdKaHQ4RWZMVkpXZ09MT1c2TGc1aGJzMSIsInN1YiI6Ilg0Umo3Smh0OEVmTFZKV2dPTE9XNkxnNWhiczEiLCJpYXQiOjE1MzY4NTg4ODIsImV4cCI6MTUzNjg2MjQ4MiwiZmlyZWJhc2UiOnsiaWRlbnRpdGllcyI6eyJmYWNlYm9vay5jb20iOlsiMTAxNTYzNjg4NDU2NzU0MzUiXX0sInNpZ25faW5fcHJvdmlkZXIiOiJmYWNlYm9vay5jb20ifX0.gGneHgLHPuTMY3QaUiz4EYQpHYsNVt87YZz6V1S2D9sPM4IWrsmxA-Skuj5JzZbvHLT_4l4uwQ5IYtz0Wq7CYpkmzA2veac9lU6rt-LYprNwtsISRutznhk54eicoFOteBuKnRIgkmn4PLaApjYkoriu0krKCBwqs8KWInXw0XMsc0eXyPRzPIrdnpm7Pv-bpxbAjb-8XmQr50ZnxIHpulK5B7XQrJ-xmbyNLRLUAO_arl2augNFnQ_DTiAqMUX_whc0EjZxQWCQZdlfJ2YppEiDN0bwq9lfjgr-UN4xB9pKTb0FEFf8rJJwlugEvqolFW87YjNTKDhPSM7ldHb02A

This should give a response of the data at the location, in Postman (or just in a browser) I will see:

"some sdfsdfdfdf"

In Defold I would see:

"Unable to validate signature."

The auth key will expire, so I can generate new URLs if and when you want to check this.

britzl · September 14, 2018, 5:41am

We do not encode the URL in any way. That is up to you as a developer to take care of. But in this case it shouldn’t be needed. Can you share the token validation code? What could potential cause it to not be able to validate it?

britzl · September 14, 2018, 6:07am

Hmm, when I paste the token here: https://jwt.io/ it also says “Invalid Signature”. Not sure if that is relevant or not…

jonnyleeharris · September 14, 2018, 11:21am

The token itself is fine.

If you paste this URL into a browser:

https://triggered-d1327.firebaseio.com/user_saves/X4Rj7Jht8EfLVJWgOLOW6Lg5hbs1/base_64_encoded_save.json?auth=eyJhbGciOiJSUzI1NiIsImtpZCI6IjBmNTVkZWZlOWU5YzU2ZmRhZTRkOGY0MDFjZjQ5Njc4YzE2N2MzYWEifQ.eyJpc3MiOiJodHRwczovL3NlY3VyZXRva2VuLmdvb2dsZS5jb20vdHJpZ2dlcmVkLWQxMzI3IiwibmFtZSI6IkpvbmF0aGFuIEhhcnJpcyIsInBpY3R1cmUiOiJodHRwczovL2dyYXBoLmZhY2Vib29rLmNvbS8xMDE1NjM2ODg0NTY3NTQzNS9waWN0dXJlIiwiYXVkIjoidHJpZ2dlcmVkLWQxMzI3IiwiYXV0aF90aW1lIjoxNTM2OTIzNjgyLCJ1c2VyX2lkIjoiWDRSajdKaHQ4RWZMVkpXZ09MT1c2TGc1aGJzMSIsInN1YiI6Ilg0Umo3Smh0OEVmTFZKV2dPTE9XNkxnNWhiczEiLCJpYXQiOjE1MzY5MjM2ODIsImV4cCI6MTUzNjkyNzI4MiwiZmlyZWJhc2UiOnsiaWRlbnRpdGllcyI6eyJmYWNlYm9vay5jb20iOlsiMTAxNTYzNjg4NDU2NzU0MzUiXX0sInNpZ25faW5fcHJvdmlkZXIiOiJmYWNlYm9vay5jb20ifX0.n_n2e6RWBpZq0vlPYUl5kOfgneEG3Ud4VaI9BhoU2JDXOjqbbqrqRDx3t7_ArT_XRUrp81m9LnnhmSzq9hef01LCAqKLEj6kzSnPpKu6jcbMWcHR6zNxpsjYK2kQGoxQ05_EqIE09HBYa2ELpzwXym3LCBRNWYV0ylyfcyN4-CY_dCjNdB-e9r_yzmCQ74Atp5Id-LN5U0uuegeBTO4oYs4wAEY9q0UBZOLuAAub8lN-GNcEBOZF0_00lAPgi2N8Ertlw8nmuSy2_aVF8JyNKLexyiGdEjNqg-DpbJ-AhAYwMUOKN_Tyixo9qUgWeYQevYJEVntIjGv_IAs0B6HWAg

You will get a response, which is the data at the location.

If you make this call in Defold, you will get a different response - that’s the problem.

Using the following code:

local url = "https://triggered-d1327.firebaseio.com/user_saves/X4Rj7Jht8EfLVJWgOLOW6Lg5hbs1/base_64_encoded_save.json?auth=eyJhbGciOiJSUzI1NiIsImtpZCI6IjBmNTVkZWZlOWU5YzU2ZmRhZTRkOGY0MDFjZjQ5Njc4YzE2N2MzYWEifQ.eyJpc3MiOiJodHRwczovL3NlY3VyZXRva2VuLmdvb2dsZS5jb20vdHJpZ2dlcmVkLWQxMzI3IiwibmFtZSI6IkpvbmF0aGFuIEhhcnJpcyIsInBpY3R1cmUiOiJodHRwczovL2dyYXBoLmZhY2Vib29rLmNvbS8xMDE1NjM2ODg0NTY3NTQzNS9waWN0dXJlIiwiYXVkIjoidHJpZ2dlcmVkLWQxMzI3IiwiYXV0aF90aW1lIjoxNTM2OTIzNjgyLCJ1c2VyX2lkIjoiWDRSajdKaHQ4RWZMVkpXZ09MT1c2TGc1aGJzMSIsInN1YiI6Ilg0Umo3Smh0OEVmTFZKV2dPTE9XNkxnNWhiczEiLCJpYXQiOjE1MzY5MjM2ODIsImV4cCI6MTUzNjkyNzI4MiwiZmlyZWJhc2UiOnsiaWRlbnRpdGllcyI6eyJmYWNlYm9vay5jb20iOlsiMTAxNTYzNjg4NDU2NzU0MzUiXX0sInNpZ25faW5fcHJvdmlkZXIiOiJmYWNlYm9vay5jb20ifX0.n_n2e6RWBpZq0vlPYUl5kOfgneEG3Ud4VaI9BhoU2JDXOjqbbqrqRDx3t7_ArT_XRUrp81m9LnnhmSzq9hef01LCAqKLEj6kzSnPpKu6jcbMWcHR6zNxpsjYK2kQGoxQ05_EqIE09HBYa2ELpzwXym3LCBRNWYV0ylyfcyN4-CY_dCjNdB-e9r_yzmCQ74Atp5Id-LN5U0uuegeBTO4oYs4wAEY9q0UBZOLuAAub8lN-GNcEBOZF0_00lAPgi2N8Ertlw8nmuSy2_aVF8JyNKLexyiGdEjNqg-DpbJ-AhAYwMUOKN_Tyixo9qUgWeYQevYJEVntIjGv_IAs0B6HWAg"
http.request(url, "GET", function(self,id,response)
	pprint(response)
end)

gives the following response:

{
  status = 401,
  response = {
  "error" : "Unable to validate signature."
}
,
  headers = {
    server = nginx,
    strict-transport-security = max-age=31556926; includeSubDomains; preload,
    content-type = application/json; charset=utf-8,
    connection = keep-alive,
    content-length = 48,
    cache-control = no-cache,
    date = Fri, 14 Sep 2018 11:18:16 GMT,
    access-control-allow-origin = *,
  }
}

britzl · September 14, 2018, 11:22am

Yes, I’ve tested this myself and seen the same thing. Not really sure what could be wrong. I’ll try to figure it out.

jonnyleeharris · September 14, 2018, 11:24am

Thanks, I’ll continue to experiment myself and keep this thread updated with my findings.

jonnyleeharris · September 14, 2018, 5:05pm

Also, I should have said that I think the token is fine. It could very well be part of the problem.

Using https://jwt.io however gives me a good result with:

eyJhbGciOiJSUzI1NiIsImtpZCI6IjBmNTVkZWZlOWU5YzU2ZmRhZTRkOGY0MDFjZjQ5Njc4YzE2N2MzYWEifQ.eyJpc3MiOiJodHRwczovL3NlY3VyZXRva2VuLmdvb2dsZS5jb20vdHJpZ2dlcmVkLWQxMzI3IiwibmFtZSI6IkpvbmF0aGFuIEhhcnJpcyIsInBpY3R1cmUiOiJodHRwczovL2dyYXBoLmZhY2Vib29rLmNvbS8xMDE1NjM2ODg0NTY3NTQzNS9waWN0dXJlIiwiYXVkIjoidHJpZ2dlcmVkLWQxMzI3IiwiYXV0aF90aW1lIjoxNTM2OTIzNjgyLCJ1c2VyX2lkIjoiWDRSajdKaHQ4RWZMVkpXZ09MT1c2TGc1aGJzMSIsInN1YiI6Ilg0Umo3Smh0OEVmTFZKV2dPTE9XNkxnNWhiczEiLCJpYXQiOjE1MzY5MjM2ODIsImV4cCI6MTUzNjkyNzI4MiwiZmlyZWJhc2UiOnsiaWRlbnRpdGllcyI6eyJmYWNlYm9vay5jb20iOlsiMTAxNTYzNjg4NDU2NzU0MzUiXX0sInNpZ25faW5fcHJvdmlkZXIiOiJmYWNlYm9vay5jb20ifX0.n_n2e6RWBpZq0vlPYUl5kOfgneEG3Ud4VaI9BhoU2JDXOjqbbqrqRDx3t7_ArT_XRUrp81m9LnnhmSzq9hef01LCAqKLEj6kzSnPpKu6jcbMWcHR6zNxpsjYK2kQGoxQ05_EqIE09HBYa2ELpzwXym3LCBRNWYV0ylyfcyN4-CY_dCjNdB-e9r_yzmCQ74Atp5Id-LN5U0uuegeBTO4oYs4wAEY9q0UBZOLuAAub8lN-GNcEBOZF0_00lAPgi2N8Ertlw8nmuSy2_aVF8JyNKLexyiGdEjNqg-DpbJ-AhAYwMUOKN_Tyixo9qUgWeYQevYJEVntIjGv_IAs0B6HWAg

EDIT: Just noticed the invalid signature part you mentioned, whoops… maybe this leads somewhere.
EDIT2: Which makes sense… there’s no public key. Still stumped…

jonnyleeharris · September 14, 2018, 5:18pm

If I bundle as HTML, it works - so it would seem that something happening in the engine with the HTTP request. I still don’t have any clues for you however. If you continue to test with that URL, you would expect token expired/permission denied response - we want to avoid the ‘unable to validate…’ response.

britzl · September 14, 2018, 7:23pm

Ok, so it works from a browser… hmm… that’s a clue at least. The http.request function has a different implementation on HTML5.

jonnyleeharris · September 17, 2018, 1:48pm

Is there anything you can share me regarding the implementation of the http requests so I might be able to figure out what’s going on?

britzl · September 17, 2018, 4:37pm

No not really I’m afraid. I’ve been stuck working on another thing. I’ll look into this soon, most likely on Wednesday.

jonnyleeharris · September 17, 2018, 5:21pm

OK thanks.