validateCustomClaims only runs once and then returns the same result for every other attempted call even when checking different claims (security flaw or am I using it wrong?)

[tsdexter]

Version info

React: 17.0.1

Firebase: 9.6.1

ReactFire: 4.2.1

Steps to reproduce

use useSigninCheck with validateCustomClaims at some point in the component tree and then try to use it again later on with different custom claims

Expected behavior

I should be able to pass different custom claims during different calls to show/hide different parts of the UI. validateCustomClaims should run every time I use it and return the appropriate result. For example, if I want to show some components to "admin" users and some other components to "superadmin" users.

Actual behavior

validateCustomClaims only runs the first time you call it and on subsequent calls just returns the same hasRequiredClaims result from the initial run. This seems to be a major security flaw especially if you aren't aware that it's doing this.

Test case

The sandbox below calls validateCustomClaims in the <App /> component and returns a hardcoded true result... Later in the <ComponentForSuperadminOnly /> it tries to validate that the user has superadmin claim and returns true even though it does not have the claim. Additionally, the validateCustomClaims function is not even run in this call as there is no console.log for it.

If you switch the validateCustomClaims check in the <App /> component to use the requiredClaims method then the custom validator does run in the <ComponentForSuperadminOnly /> component.

Lastly, using the requiredClaims property method to check for superadmin instead of a custom validator returns the appropriate result no matter where it is used. I would assume both methods should always return an accurate result no matter where they are used in the tree.

https://codesandbox.io/s/usesignincheckissue-xqwm4u?file=/src/App.js

[dsgriffin]

Just found this - having same issue, validateCustomClaims only ever seems to run once. @