This document explains all authentication mechanisms used in the Aantekeningen App and how to troubleshoot common issues.
The app uses two different authentication systems:
FIREBASE_PROJECT_ID=your-project-id
FIREBASE_CLIENT_EMAIL=firebase-adminsdk-xxxxx@your-project.iam.gserviceaccount.com
FIREBASE_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n"
client_email → FIREBASE_CLIENT_EMAILprivate_key → FIREBASE_PRIVATE_KEY (keep the quotes and \n characters)Error: "Could not load the default credentials"
FIREBASE_CLIENT_EMAIL and FIREBASE_PRIVATE_KEY to your .env.localError: "invalid_grant" or "invalid_rapt"
Error: "Project not found"
FIREBASE_PROJECT_ID matches your Firebase project ID exactlyGOOGLE_CLIENT_ID=your-oauth-client-id
GOOGLE_CLIENT_SECRET=your-oauth-client-secret
GOOGLE_REDIRECT_URI=http://localhost:3000
GOOGLE_REFRESH_TOKEN=your-refresh-token
http://localhost:3000 (development)https://your-domain.com (production)Use the provided script:
node scripts/refresh-oauth-token.mjs
Follow the instructions to:
Error: "invalid_grant" or "invalid_rapt"
node scripts/refresh-oauth-token.mjs to get a new tokenError: "access_denied"
Error: "redirect_uri_mismatch"
node scripts/check-credentials.mjs
This script will:
node scripts/validate-student-id.mjs <student-id>
This script will:
| Error | Cause | Solution |
|---|---|---|
invalid_rapt |
Expired refresh token | Run refresh-oauth-token.mjs |
Could not load default credentials |
Missing Firebase credentials | Add service account credentials |
Student not found |
ID doesn't exist in Firestore | Check if it's a Drive folder ID instead |
Drive folder not found |
Invalid Drive folder ID | Verify the folder exists in Google Drive |
Never commit credentials to git
.env.local for local developmentRotate credentials regularly
Use least privilege
Monitor usage
If you encounter issues not covered here:
node scripts/check-credentials.mjs to verify your setup