I've read a bunch of documentation in react-native-firebase, but am not clear about token session works.
Conceptually I think the backend checks if the user session token is valid before accessing certain parts of the database, this means they are signed into their account.
Is this a part of RNFirebase or do we just simply use the 'onAuthStateChanged' method to check if the user is logged in?
Related
background of this question
I'm using firebase auth for user authentication on my app.
I realized that firebase doesn't have a log of user information changes, so I can't answer user questions about it.
So, I'm planning to move the feature of changing user account info (like email, display name, and password) from using the client-side firebase auth library to using server-side firebase auth SDK for the purpose of taking logs of these changes to use for user support. Also, I'd like to make logout a user who changes account info.
I've looked for the appropriate API on the document firebase.google.com/go/v4/auth and found UpdateUser function. The struct UserToUpdate which is a parameter of UpdateUser can set a new email address, new password and new display name, but I can't find to set the parameter to make a user logout.
my question
Is there a way to log out a specific user by firebase auth go SDK?
Firebase Authentication's client-side sign-in is based on ID tokens, which are valid until their built-in expiration (by default: an hour after they are minted). Since no server keeps a list of all the ID tokens it has minted, there is no way to mark a token as invalid on such a list either.
The common approach to revoke access for a user is to:
Revoke the refresh token, so that they can no longer mint new ID tokens with it.
Add the ID token(s) of the user to a self-managed list of revoked ID tokens.
Detect the presence of an ID token in this list from your server-side code and security rules.
Optionally detect the refresh token revocation on the client
Instead of logging the user out, you can also force-refresh their ID token/profile on the client to get the latest information from the server.
I like to implement the functionality
where if two users are trying to login with the same credentials then the first user should log out as soon as the second user login.
consider user one is logged in with his credentials from one machine
and he/ another user is trying to log in from another machine
then the user one session should be removed as soon as user one logged in.
Ps:
I tried to implement that by saving the current session id in the user table and overriding the OnCreated method from the IAuthSession interface and then checking in that if the request sessionId is the same as the saved session Id if same then process the request else call the lout endpoint.
But It will be not good for performance and I am not sure if it is a good way to do that?
PS: I am using a JWT token.
Update :
I am able to clear the session by using ICacheClient to get the session and then remove a session from the server using IRequest.RemoveSession(sessionId), but is it not log out the specific user.
You can't invalidate a user authenticating with stateless authentication like JWT which has the signed authentication embedded in the Token which is valid until the JWT expiry.
i.e. you can't revoke a JWT Token after it's already been issued.
There is a JwtAuthProvider.ValidateToken filter you can use to execute custom logic to prevent a user from authenticating which you may be able to use however that would require that you manage a collection of Token info you want to prevent from authenticating before its Token expiry.
In Firebase, it is possible to log in a user as anonymous with a token, and when the user decides to register, just update the credentials. I have a hard time understanding whether the same is possible with Auth0.
We are now using Auth0 as identity provider, the flow is the following:
The user is using the app anonymously with limited access.
User registers in the app with Auth0.
Auth0 issues a token
Firebase receives the token and lets the user use the restricted parts. All the data generated by the anonymous user is lost
What I want to achieve:
When the user starts using the app, Auth0 immediately creates a user token
The token is valid to access certain parts of Firebase database
If/when the user decides to register, their token remains valid but receives additional credentials
Firebase lets the user use the restricted parts
It's Konrad from Auth0 Community Team. Yep as Baskaro said unfortunately it's not supported from our side of stack. It will be great if you can submit it as a feature request to our product team using our feedback form (you will be contacted by one of our product managers within 10 business days):
https://auth0.com/feedback
So, I have created a cloud function using Firebase Admin SDK. The purpose of that function is to disable the user and after successfully disabling it, I want that user to be logged out from my application. I have disabled user but can't figure out how to log out the user.
I was wondering if there is any function of a workaround to achieve this?
A user that is signed in to your app has a ID token that is valid for up to an hour. Once that token has been created, there is no way to revoke it.
The typical way to handle your use-case is to also flag the user in a server-side database once you disable their account, and then check that flag in any operations.
For example, if your using the Firebase Realtime Database, and disable the user with Node.js, the code to also flag the user in the database could look like this:
// Disable the user in Firebase Authentication to prevent them from signing in or refreshing their token
admin.auth().updateUser(uid, {
disabled: true
}).then(function() {
// Flag the user as disabled in the database, so that we can prevent their reads/writes
firebase.database().ref("blacklist").child(uid).set(true);
});
And you can then check this in the server-side security rules with something like this:
{
"rules": {
".read": "auth.uid !== null && !root.child('blacklist').child(auth.uid).exists()"
}
}
This rule allows all users that are signed in (auth.uid !== null) full read access to the database, but blocks users who you've flagged (!root.child('blacklist').child(auth.uid).exists()).
For an (even) more elaborate example of this approach, see the documentation on session management.
There are two main types of tokens used in Firebase Auth that are relevant to your question here:
Refresh token
ID token (aka, access token)
Firebase ID tokens are short lived and last for an hour; the refresh token can be used to retrieve new ID tokens. Refresh tokens expire only when one of the following occurs:
The user is deleted
The user is disabled
A major account change is detected for the user. This includes events like password or email address updates.
https://firebase.google.com/docs/auth/admin/manage-sessions
So in your case, when you disable the user, the refresh token will be automatically revoked. This means that once the short-lived ID token expires, they won't be able to retrieve a new one.
But you want them to be logged out immediately after being disabled. There are two main considerations here:
if you control the well-behaved client application, you can voluntarily log them out in the client
if you want to truly protect against malicious actors, you can revoke the ID token on the backend
Voluntarily logging out in a well-behaved client
If the token is revoked via the Admin SDK, the client is informed of the revocation and the user is expected to reauthenticate or is signed out:
https://firebase.google.com/docs/auth/admin/manage-sessions#respond_to_token_revocation_on_the_client
However, the docs are very misleading here. There is no built-in behaviour to automatically inform the client of a revocation. Instead, you can follow the suggestions in this thread (https://groups.google.com/g/firebase-talk/c/cJjo9oknG6g/m/XG24x8SqEgAJ) which talk about how to implement this behaviour. The two main options presented are:
Use Firebase Realtime Database to build your own real-time "push" mechanism to detect revocations
Use currentUser.getIdToken(true) to force-fetch a new id token, which will detect the refresh token revocation, and log the user out (you should get an even on the onAuthStateChanged listener).
For option 2, note the parameter true passed in to forceRefresh. This is generally not a good option - you don't want to force refresh on every API request, but if you don't, it's hard to know when to do a force refresh.
When you refresh the page, the Firebase client SDK will typically automatically perform a force refresh.
Server-side detection
When a user's ID token is to be verified, the additional checkRevoked boolean flag has to be passed to verifyIdToken. If the user's token is revoked, the user should be signed out on the client or asked to reauthenticate using reauthentication APIs provided by the Firebase Authentication client SDKs.
https://firebase.google.com/docs/auth/admin/manage-sessions#detect_id_token_revocation_in_the_sdk
Note that using the checkRevoked=true option results in a network request from your backend to Firebase's backend, which is expensive. Again, it's hard to know when it's worth using checkRevoked. Perhaps it's worth the cost to always perform the network check on a small subset of highly sensitive APIs.
Summary
You should read through the docs in full (https://firebase.google.com/docs/auth/admin/manage-sessions) and see which approach suits you best.
Frank van Puffelen has already covered the other standard option - using rules to guard Firebase backend services.
But in general, there isn't anything that helps out of the box. If you understand the concept behind refresh tokens and id tokens, you'll notice that it's fundamentally not possible to revoke the ID token while retaining the performance benefits (ie, reducing network traffic) that is the entire reason for using the refresh+id model to begin with.
I'd just let the token expire, and accept that any "disable" can be delayed by up to 1 hour.
In the docs it's stated that:
But once you sign a user in using signInWithCustomToken(), they will
remain signed in into the device until their session is invalidated or
the user signs out.
So in which conditions does Firebase declare that a session is invalid?
In general Firebase invalidates all sessions of a user when there are big changes to the account. For users signed in with custom token, the session becomes invalid when the user is deleted or disabled.