Firebase 3.x - Token / Session Expiration

session firebase token firebase-authentication

39,889

Solution 1

In the latest release of Firebase Authentication, login sessions don't expire anymore. Instead it uses a combination of long-lived account tokens and short-lived, auto-refreshed access tokens to get the best of both worlds.

If you want to end a user's session, you can call signOut().

Solution 2

Its does expire. After one hour logged in the token id expire. If you try to verify sdk returns a error "Error: Firebase ID token has expired. Get a fresh token from your client app and try again. See https://firebase.google.com/docs/auth/server/verify-id-tokens for details on how to retrieve an ID token."

Is There such a way to change expiration time to Firebase token, not custom token.

Anybody that know how this really works.

Solution 3

For anyone that is still confused, it is all explained in great detail here

If your app includes a custom backend server, ID tokens can and should be used to communicate securely with it. Instead of sending requests with a user’s raw uid which can be easily spoofed by a malicious client, send the user's ID token which can be verified via a Firebase Admin SDK (or even a third-party JWT library if Firebase does not have an Admin SDK in your language of choice). To facilitate this, the modern client SDKs provide convenient methods for retrieving ID tokens for the currently logged-in user. The Admin SDK ensures the ID token is valid and returns the decoded token, which includes the uid of the user it belongs to as well as any custom claims added to it.

Solution 4

If the above answer is still confusing to you, This is what i did:

firebase.auth().onAuthStateChanged(async user => {
    if (user) {
        const lastSignInTime = new Date(user.metadata.lastSignInTime);
        const lastSignInTimeTimeStamp = Math.round(lastSignInTime.getTime() / 1000);
        const yesterdayTimeStamp = Math.round(new Date().getTime() / 1000) - (24 * 3600);
        if(lastSignInTimeTimeStamp < yesterdayTimeStamp){
          await firebase.auth().signOut()
          this.setState({
            loggedIn: false
          });
          return false;
        }
        this.setState({
          loggedIn: true,
          user
        });
      }
    })

View more solutions

39,889

shibapoo

Updated on July 09, 2022

Comments

shibapoo almost 2 years

Does anyone know how long would it take for the token to expire? There no option now to set the token validity on the console.
Deamon almost 8 years

Frank, could you elaborate on the details? For instance, FB long-lived token expires in 60 days but auto-refreshed once a day when someone makes any request but will force login flow if no request is made.
WYS almost 8 years

The latest release of Firebase Authentication gives mes this "[FirebaseDatabase] Authentication failed: expired_token (Auth token is expired)"
shibapoo almost 8 years

In the new Firebase, session only expires if you have a big changes in your account, let's say you change your password, etc.
Bikash over 7 years

My token expire every one hour, i have added SHA-1 in firebase console, I send the token to my custom server for verification. Could anyone help me why my expiry time is just one hour.
Lion789 over 7 years

Any solutions running into this issue?
Incinerator almost 7 years

It seems this has changed yet again, and now the tokens do expire after a while.
Frank van Puffelen almost 7 years

This hasn't changed. Login sessions don't expire. But the short-lived tokens (I think they're called ID tokens) are valid for only an hour. When you use a Firebase SDK, it auto-refreshes those short-lived tokens.
django09 almost 7 years

Since the ID tokens expire once an hour, how can we use them to authenticate with a custom server? I followed the directions on how to verify id tokens on my server, but now the server can't recognize a logged in user after only an hour passes.
Giridhar Karnik over 6 years

options 1: have a response intercept and refresh the token if the token is invalid and remake the API call.
ProblemsOfSumit over 6 years

you could always use currentUser.getIdToken() but my problem is that this returns a promise :-/ I don't want to do async stuff in my request interceptors...
geeky_monster over 4 years

@ProblemsOfSumit you can pass a boolean 'false' as a parameter to getIdToken to make it synchronous.
André Ramon almost 3 years

the token still expires after one hour and this does not solve the issue