HTTP limitations? (DEF-3410) (SOLVED)

Yes, I did a similar test and found that we limit the path to 512 characters. This obviously needs to be fixed. I created a ticket to track this: DEF-3410. It should be an easy fix but I can’t make any promises as to when we will release it.

Does Firebase support an auth token header perhaps?

Yes, it’s basically this:

char m_Path[512];

Should only be a matter of increasing to something a bit larger, say 2048. 2048 seems like a reasonable value based on this: https://stackoverflow.com/a/417184/1266551

1 Like

I’ll take a look into workarounds - but unfortunately I don’t think they do.

At least I know what’s causing the problem and if you have a fix in the works I can sleep easy!

Thanks

1 Like

This page seems to indicate support for an auth header, but I couldn’t get it to work:

https://firebase.google.com/docs/database/rest/auth#authenticate_with_an_access_token

Am I looking at the wrong docs?

That’s the right page, but there are two ways to authenticate.

You can use a header to authenticate with Google OAuth2 access tokens, typically used on a server - which gives you full read and write access to the database.

If you want to authenticate with Firebase ID tokens, which are used for authenticating users - you must append the auth parameter to the request.

Ah, gotcha! Ok, we’ll have to wait for an engine fix. If there’s no side-effects of increasing that array then it’s released in a weeks time (1.2.135).

1 Like

Released in 1.2.135

1 Like

Hey, got back from my vacation and tried it out.

Unfortunately I am still having issues, but this time not with the length of the URL.

After playing around I am seeing errors from the REST API endpoint that are consistent with an incorrect auth key being passed in the URL (unlike before, it was a malformed/short one). From what I can see, this indicates that Defold might be doing some encoding of its own to the URL. Is there any way you can verify this? Thanks!

EDIT: When using Postman Echo, it does appear that the auth token passed IS correct. So my hypothesis on what is causing the issue is likely incorrect.

A sample URL:

https://triggered-d1327.firebaseio.com/user_saves/X4Rj7Jht8EfLVJWgOLOW6Lg5hbs1/base_64_encoded_save.json?auth=eyJhbGciOiJSUzI1NiIsImtpZCI6IjBmNTVkZWZlOWU5YzU2ZmRhZTRkOGY0MDFjZjQ5Njc4YzE2N2MzYWEifQ.eyJpc3MiOiJodHRwczovL3NlY3VyZXRva2VuLmdvb2dsZS5jb20vdHJpZ2dlcmVkLWQxMzI3IiwibmFtZSI6IkpvbmF0aGFuIEhhcnJpcyIsInBpY3R1cmUiOiJodHRwczovL2dyYXBoLmZhY2Vib29rLmNvbS8xMDE1NjM2ODg0NTY3NTQzNS9waWN0dXJlIiwiYXVkIjoidHJpZ2dlcmVkLWQxMzI3IiwiYXV0aF90aW1lIjoxNTM2ODU4ODgyLCJ1c2VyX2lkIjoiWDRSajdKaHQ4RWZMVkpXZ09MT1c2TGc1aGJzMSIsInN1YiI6Ilg0Umo3Smh0OEVmTFZKV2dPTE9XNkxnNWhiczEiLCJpYXQiOjE1MzY4NTg4ODIsImV4cCI6MTUzNjg2MjQ4MiwiZmlyZWJhc2UiOnsiaWRlbnRpdGllcyI6eyJmYWNlYm9vay5jb20iOlsiMTAxNTYzNjg4NDU2NzU0MzUiXX0sInNpZ25faW5fcHJvdmlkZXIiOiJmYWNlYm9vay5jb20ifX0.gGneHgLHPuTMY3QaUiz4EYQpHYsNVt87YZz6V1S2D9sPM4IWrsmxA-Skuj5JzZbvHLT_4l4uwQ5IYtz0Wq7CYpkmzA2veac9lU6rt-LYprNwtsISRutznhk54eicoFOteBuKnRIgkmn4PLaApjYkoriu0krKCBwqs8KWInXw0XMsc0eXyPRzPIrdnpm7Pv-bpxbAjb-8XmQr50ZnxIHpulK5B7XQrJ-xmbyNLRLUAO_arl2augNFnQ_DTiAqMUX_whc0EjZxQWCQZdlfJ2YppEiDN0bwq9lfjgr-UN4xB9pKTb0FEFf8rJJwlugEvqolFW87YjNTKDhPSM7ldHb02A

This should give a response of the data at the location, in Postman (or just in a browser) I will see:

"some sdfsdfdfdf"

In Defold I would see:

"Unable to validate signature."

The auth key will expire, so I can generate new URLs if and when you want to check this.

1 Like

We do not encode the URL in any way. That is up to you as a developer to take care of. But in this case it shouldn’t be needed. Can you share the token validation code? What could potential cause it to not be able to validate it?

1 Like

Hmm, when I paste the token here: https://jwt.io/ it also says “Invalid Signature”. Not sure if that is relevant or not…

1 Like

The token itself is fine.

If you paste this URL into a browser:

https://triggered-d1327.firebaseio.com/user_saves/X4Rj7Jht8EfLVJWgOLOW6Lg5hbs1/base_64_encoded_save.json?auth=eyJhbGciOiJSUzI1NiIsImtpZCI6IjBmNTVkZWZlOWU5YzU2ZmRhZTRkOGY0MDFjZjQ5Njc4YzE2N2MzYWEifQ.eyJpc3MiOiJodHRwczovL3NlY3VyZXRva2VuLmdvb2dsZS5jb20vdHJpZ2dlcmVkLWQxMzI3IiwibmFtZSI6IkpvbmF0aGFuIEhhcnJpcyIsInBpY3R1cmUiOiJodHRwczovL2dyYXBoLmZhY2Vib29rLmNvbS8xMDE1NjM2ODg0NTY3NTQzNS9waWN0dXJlIiwiYXVkIjoidHJpZ2dlcmVkLWQxMzI3IiwiYXV0aF90aW1lIjoxNTM2OTIzNjgyLCJ1c2VyX2lkIjoiWDRSajdKaHQ4RWZMVkpXZ09MT1c2TGc1aGJzMSIsInN1YiI6Ilg0Umo3Smh0OEVmTFZKV2dPTE9XNkxnNWhiczEiLCJpYXQiOjE1MzY5MjM2ODIsImV4cCI6MTUzNjkyNzI4MiwiZmlyZWJhc2UiOnsiaWRlbnRpdGllcyI6eyJmYWNlYm9vay5jb20iOlsiMTAxNTYzNjg4NDU2NzU0MzUiXX0sInNpZ25faW5fcHJvdmlkZXIiOiJmYWNlYm9vay5jb20ifX0.n_n2e6RWBpZq0vlPYUl5kOfgneEG3Ud4VaI9BhoU2JDXOjqbbqrqRDx3t7_ArT_XRUrp81m9LnnhmSzq9hef01LCAqKLEj6kzSnPpKu6jcbMWcHR6zNxpsjYK2kQGoxQ05_EqIE09HBYa2ELpzwXym3LCBRNWYV0ylyfcyN4-CY_dCjNdB-e9r_yzmCQ74Atp5Id-LN5U0uuegeBTO4oYs4wAEY9q0UBZOLuAAub8lN-GNcEBOZF0_00lAPgi2N8Ertlw8nmuSy2_aVF8JyNKLexyiGdEjNqg-DpbJ-AhAYwMUOKN_Tyixo9qUgWeYQevYJEVntIjGv_IAs0B6HWAg

You will get a response, which is the data at the location.

If you make this call in Defold, you will get a different response - that’s the problem.

Using the following code:

local url = "https://triggered-d1327.firebaseio.com/user_saves/X4Rj7Jht8EfLVJWgOLOW6Lg5hbs1/base_64_encoded_save.json?auth=eyJhbGciOiJSUzI1NiIsImtpZCI6IjBmNTVkZWZlOWU5YzU2ZmRhZTRkOGY0MDFjZjQ5Njc4YzE2N2MzYWEifQ.eyJpc3MiOiJodHRwczovL3NlY3VyZXRva2VuLmdvb2dsZS5jb20vdHJpZ2dlcmVkLWQxMzI3IiwibmFtZSI6IkpvbmF0aGFuIEhhcnJpcyIsInBpY3R1cmUiOiJodHRwczovL2dyYXBoLmZhY2Vib29rLmNvbS8xMDE1NjM2ODg0NTY3NTQzNS9waWN0dXJlIiwiYXVkIjoidHJpZ2dlcmVkLWQxMzI3IiwiYXV0aF90aW1lIjoxNTM2OTIzNjgyLCJ1c2VyX2lkIjoiWDRSajdKaHQ4RWZMVkpXZ09MT1c2TGc1aGJzMSIsInN1YiI6Ilg0Umo3Smh0OEVmTFZKV2dPTE9XNkxnNWhiczEiLCJpYXQiOjE1MzY5MjM2ODIsImV4cCI6MTUzNjkyNzI4MiwiZmlyZWJhc2UiOnsiaWRlbnRpdGllcyI6eyJmYWNlYm9vay5jb20iOlsiMTAxNTYzNjg4NDU2NzU0MzUiXX0sInNpZ25faW5fcHJvdmlkZXIiOiJmYWNlYm9vay5jb20ifX0.n_n2e6RWBpZq0vlPYUl5kOfgneEG3Ud4VaI9BhoU2JDXOjqbbqrqRDx3t7_ArT_XRUrp81m9LnnhmSzq9hef01LCAqKLEj6kzSnPpKu6jcbMWcHR6zNxpsjYK2kQGoxQ05_EqIE09HBYa2ELpzwXym3LCBRNWYV0ylyfcyN4-CY_dCjNdB-e9r_yzmCQ74Atp5Id-LN5U0uuegeBTO4oYs4wAEY9q0UBZOLuAAub8lN-GNcEBOZF0_00lAPgi2N8Ertlw8nmuSy2_aVF8JyNKLexyiGdEjNqg-DpbJ-AhAYwMUOKN_Tyixo9qUgWeYQevYJEVntIjGv_IAs0B6HWAg"
http.request(url, "GET", function(self,id,response)
	pprint(response)
end)

gives the following response:

{
  status = 401,
  response = {
  "error" : "Unable to validate signature."
}
,
  headers = {
    server = nginx,
    strict-transport-security = max-age=31556926; includeSubDomains; preload,
    content-type = application/json; charset=utf-8,
    connection = keep-alive,
    content-length = 48,
    cache-control = no-cache,
    date = Fri, 14 Sep 2018 11:18:16 GMT,
    access-control-allow-origin = *,
  }
}
1 Like

Yes, I’ve tested this myself and seen the same thing. Not really sure what could be wrong. I’ll try to figure it out.

2 Likes

Thanks, I’ll continue to experiment myself and keep this thread updated with my findings.

Also, I should have said that I think the token is fine. It could very well be part of the problem.

Using https://jwt.io however gives me a good result with:

eyJhbGciOiJSUzI1NiIsImtpZCI6IjBmNTVkZWZlOWU5YzU2ZmRhZTRkOGY0MDFjZjQ5Njc4YzE2N2MzYWEifQ.eyJpc3MiOiJodHRwczovL3NlY3VyZXRva2VuLmdvb2dsZS5jb20vdHJpZ2dlcmVkLWQxMzI3IiwibmFtZSI6IkpvbmF0aGFuIEhhcnJpcyIsInBpY3R1cmUiOiJodHRwczovL2dyYXBoLmZhY2Vib29rLmNvbS8xMDE1NjM2ODg0NTY3NTQzNS9waWN0dXJlIiwiYXVkIjoidHJpZ2dlcmVkLWQxMzI3IiwiYXV0aF90aW1lIjoxNTM2OTIzNjgyLCJ1c2VyX2lkIjoiWDRSajdKaHQ4RWZMVkpXZ09MT1c2TGc1aGJzMSIsInN1YiI6Ilg0Umo3Smh0OEVmTFZKV2dPTE9XNkxnNWhiczEiLCJpYXQiOjE1MzY5MjM2ODIsImV4cCI6MTUzNjkyNzI4MiwiZmlyZWJhc2UiOnsiaWRlbnRpdGllcyI6eyJmYWNlYm9vay5jb20iOlsiMTAxNTYzNjg4NDU2NzU0MzUiXX0sInNpZ25faW5fcHJvdmlkZXIiOiJmYWNlYm9vay5jb20ifX0.n_n2e6RWBpZq0vlPYUl5kOfgneEG3Ud4VaI9BhoU2JDXOjqbbqrqRDx3t7_ArT_XRUrp81m9LnnhmSzq9hef01LCAqKLEj6kzSnPpKu6jcbMWcHR6zNxpsjYK2kQGoxQ05_EqIE09HBYa2ELpzwXym3LCBRNWYV0ylyfcyN4-CY_dCjNdB-e9r_yzmCQ74Atp5Id-LN5U0uuegeBTO4oYs4wAEY9q0UBZOLuAAub8lN-GNcEBOZF0_00lAPgi2N8Ertlw8nmuSy2_aVF8JyNKLexyiGdEjNqg-DpbJ-AhAYwMUOKN_Tyixo9qUgWeYQevYJEVntIjGv_IAs0B6HWAg

EDIT: Just noticed the invalid signature part you mentioned, whoops… maybe this leads somewhere.
EDIT2: Which makes sense… there’s no public key. Still stumped…

If I bundle as HTML, it works - so it would seem that something happening in the engine with the HTTP request. I still don’t have any clues for you however. If you continue to test with that URL, you would expect token expired/permission denied response - we want to avoid the ‘unable to validate…’ response.

Ok, so it works from a browser… hmm… that’s a clue at least. The http.request function has a different implementation on HTML5.

Is there anything you can share me regarding the implementation of the http requests so I might be able to figure out what’s going on?

No not really I’m afraid. I’ve been stuck working on another thing. I’ll look into this soon, most likely on Wednesday.

1 Like

OK thanks.