Regenerate ( refresh ) Token on Browser - firebase

The scenario is, we have a website which for some web notification we're using web push and after user login into the website we check that if he/she granted notification permission to us we don't ask it ,if not we ask to enable notification, The generated Token is per browser I mean if the user log-out and another user login to our website previous Token available for the new logged in user, So if we want to notify the previous user, the new user got our notification.
The simple solution is on Logout delete the token and after each login we should ask user to grant permission again to us but it's bothering user, I have an idea when user login to the site, we check that previous user was herself/ himself, we do nothing , but if there is another user, without asking to grant permission again(while we asked them before) we refresh the token , I mean regenerate another Token for him/her and save that Token in our backend, My question is How can we regenerate the Token without asking again to grant Notification permission in the Browser?

You can't regenerate the token without revoking permission.
However you can use the same strategy that we have used for Pushpad:
each token (i.e. browser) in your database is present only once
each token has at most one user ID associated to it
when the user logs out you remove the user ID from the token
when the user logs in you add the user ID to the current token
when you need to send notifications you target specific user IDs

Related

How can I get the anonymous access token after the user has logged in with an email account?

As part of my project, I need to send both the anonymous and the email access token to the backend.
Unfortunately, after the user logs in through the Firebase-UI, Firebase only returns the token for the newly logged-in user.
I could of course store the anonymous token, but it's possible that that would expire in the meantime. So is there a way to keep both the anonymous user as well the signed-in email user and get their token?
I need to send both the anonymous and the email access token to the backend.
You can do that, but separately. You cannot have a single user logged in with two different providers at the same time.
Unfortunately, after the user logs in through the Firebase-UI, Firebase only returns the token for the newly logged-in user.
That's the expected behavior. Since you can only read the token of the currently logged-in user.
but it's possible that that would expire in the meantime
The anonymous auth token that identifies the account doesn't persist when the user logs out, and unfortunately, there is no way to reclaim that token for the user. Firebase anonymous authentication helps you create and use temporary accounts to authenticate your users in your application. These temporary anonymous accounts can be used to allow users who haven't yet signed up for your app. If such an anonymous user decides later to sign up for your application, you can link their sign-in credentials to the anonymous account.
So is there a way to keep both the anonymous user as well the signed-in email user and get their token?
No.

Firestore reauthenticate user

I'm using Delphi 10.4.2 and FB4D to do a mobile app.
The first time the user open the app, he create an account (mail / password).
Then he can call Firebase to get documents where he is the owner (settings Firestore rules).
The user can close the app.
When he open it, I didn't want ask him for the password, and I didn't want to store the password on a config file to login him.
I prefer to store a token, and then ask for refresh when it is expired.
When a user is login, I can refresh token like that :
if fAuth.NeedTokenRefresh then
fAuth.RefreshToken(OnTokenRefresh, onUserError);
The problem is that the second time he open the app, FAuth isn't initialized. Unless I store mail / pwd and login user, what I didn't want to do.
Does it's possible ?
If someone have same question, you can login a user with the last refresh token you get :
FraSelfRegistration.Initialize(FConfig.Auth, OnUserLogin, 'last_token');
You need to add the uses FB4D.SelfRegistrationFra and init FConfig like that :
FConfig := TFirebaseConfiguration.Create(ApiKey, ProjectID, '', FirebaseURL);
So you can login user without store any password
Never save the user's email and password in your app!
I do this in the demo application only to accelerate the first step in learning firebase/FB4D.
Instead, save the RefreshToken as implemented in the self-registration frame.
Good success with FB4D!

How to implement timeouts for firebase email authenticated logins?

When I login to to my firebase webapp using email and password then I still remain logged in even when I open the application the next day.
It seems to me that when we login to the firebase webapp using email and password based authentication the user will remain logged in until and unless he explicitly logouts.
Is it possible to timeout the login sessions so that if someone comes to use the same workstation after some time and the previous user has not logged out then the new user needs to reenter the credentials?

Lose password after sign in using Google provider

I have an Android app with use Firebase authentication using email and password. Recently added Google provider now my users can sign in wih his Google account, the problem is the following
There's an existing user example#gmail.com registered on my app, later the user sign in with his Google account Firebase automatically change the provider of the account from email to Google, the problem the user sign out and try to login with his email/password and got a message
The password is invalid or the user does not have a password
I understand why happens, but users (you know they are users) get frustrated because can't login with his email/password
There's some way to tell Firebase to keep the user password or when a user login with Google and this convertion happens in order to notify to user
Note My app only allow one account per email
I found there's a method fetchProvidersForEmail I asume I can build a flow over that method that check which provider have the user and allow the user chose if want to keep if old password by asking and linking account or just continue

Oauth Revoke access token only

I'm using OAuth 2.0 to log in users in my website. Just like any kind of website, e.g. Google, Asana, etc. .
What I would like to know is if there is a way to revoke ONLY the access token and not the refresh token when the user logs out.
This is what I do:
when a user logs in, I create a session and obtain the access token (and the refresh token if the user logs in for the first time). When the user logs out, I just invalidate the session but the access token is still valid.
Sure, the access token will invalidate after a while or when the user logs in the web app again but what I want to know is if the access token can be invalidated during the log out process.
There's no generic answer to this question as the implementation of token revocation behavior wrt. related tokens is Authorization Server specific. Google will invalidate the refresh token together with the access token that is being revoked, other implementations may choose not to do so. Yet other implementations may not even offer a way to revoke access tokens at all.
For Google you can revoke the access token upon logout as described in https://developers.google.com/accounts/docs/OAuth2WebServer#tokenrevoke but it will also revoke the associated refresh token. You must then go through the authorization code flow again to get a new refresh token, which you could try with prompt=none to avoid the user being prompted.

Resources