RegExp fail for FB profile picture URL in validator.isURL

[mkozl]

System

• Operating System version: any
• Library version: 5.11.0
• Firebase Product: auth

Steps to reproduce:

Create new user account with photoURL: 'https://lookaside.facebook.com/platform/profilepic/?asid=1573869239329573&height=100&width=100&ext=1523514938&hash=AeRYcBMjHUJiXvR4'

Code:

const FirebaseAdminSDK = require('firebase-admin');
FirebaseAdminSDK.initializeApp(config.firebase.initAdmin);

const newUser = {
    email: 'useremail@gmail.com',
    displayName: 'User Name',
    photoURL: 'https://lookaside.facebook.com/platform/profilepic/?asid=1573869239329573&height=100&width=100&ext=1523514938&hash=AeRYcBMjHUJiXvR4'
};

FirebaseAdminSDK.auth().createUser(newUser);

Error:

Error: The photoURL field must be a valid URL.
    at FirebaseAuthError.FirebaseError [as constructor] (/var/www/api_service/node_modules/firebase-admin/lib/utils/error.js:39:28)
    at FirebaseAuthError.PrefixedFirebaseError [as constructor] (/var/www/api_service/node_modules/firebase-admin/lib/utils/error.js:85:28)
    at new FirebaseAuthError (/var/www/api_service/node_modules/firebase-admin/lib/utils/error.js:143:16)
    at validateCreateEditRequest (/var/www/api_service/node_modules/firebase-admin/lib/auth/auth-api-request.js:175:15)
    at /var/www/api_service/node_modules/firebase-admin/lib/auth/auth-api-request.js:322:5
    at /var/www/api_service/node_modules/firebase-admin/lib/auth/auth-api-request.js:657:13
    at <anonymous>
    at process._tickCallback (internal/process/next_tick.js:188:7)

errorInfo: 
   { code: 'auth/invalid-photo-url',
     message: 'The photoURL field must be a valid URL.' },
     codePrefix: 'auth' }

Additional info

I'm working on service with Firebase customToken for multiple Facebook appIds and ids_for_business. One of steps required creating new Firebase account with data from FB Graph API. Issue occurs when im trying create user account with picture url from Facebook API (https://developers.facebook.com/docs/graph-api/reference/user/picture/).

I checked photoURL format when account is created with FacebookProviader for single Facebook appId and url looks the same.

I couldn't find any reason why FB url could be invalid. I started debugging firebase-admin lib code and found issue with RegExp here
https://github.com/firebase/firebase-admin-node/blob/master/src/utils/validator.ts#L207 (debuger view https://ibb.co/eZcZwc).

I didn't found similar test case url at https://github.com/firebase/firebase-admin-node/blob/master/test/unit/utils/validator.spec.ts#L382 .

That’s why i think it's a bug. Could you fix this issue for FB picture url?

[bojeil-google]

I tested with 5.12.0 and couldn't replicate this. Please upgrade to the latest version and try again.

[hiranya911]

I believe it's the trailing '/' at the end of the path (right before the query string) that is causing problems:

> utils.isURL('https://lookaside.facebook.com/platform/profilepic/?asid=1573869239329573&height=100&width=100&ext=1523514938&hash=AeRYcBMjHUJiXvR4')
false
> utils.isURL('https://lookaside.facebook.com/platform/profilepic?asid=1573869239329573&height=100&width=100&ext=1523514938&hash=AeRYcBMjHUJiXvR4')
true

[bojeil-google]

I tested both and both work in the latest version. There was some issue with that validation which I fixed before the 5.12.0 release. I think that may be the cause.

[hiranya911]

You're indeed right. My working copy was out of sync. It works fine on the latest master (and also 5.12.0):

> utils.isURL('https://lookaside.facebook.com/platform/profilepic/?asid=1573869239329573&height=100&width=100&ext=1523514938&hash=AeRYcBMjHUJiXvR4')
true

[mkozl]

On version 5.12.0 works fine.

My bad. I didn't check releases before posting issue.

Thanks for help.