In the docs it's stated that:
But once you sign a user in using signInWithCustomToken(), they will
remain signed in into the device until their session is invalidated or
the user signs out.
So in which conditions does Firebase declare that a session is invalid?
In general Firebase invalidates all sessions of a user when there are big changes to the account. For users signed in with custom token, the session becomes invalid when the user is deleted or disabled.
Related
I've read a bunch of documentation in react-native-firebase, but am not clear about token session works.
Conceptually I think the backend checks if the user session token is valid before accessing certain parts of the database, this means they are signed into their account.
Is this a part of RNFirebase or do we just simply use the 'onAuthStateChanged' method to check if the user is logged in?
I understand that the ID token are JWT with an expiry. However, I am curious if there is a way to set some sort of expiry on the refresh token given by Firebase sign in that allows us to call Firebase to get a fresh ID token - AFAIK these never expire.
Refresh tokens don't expire after a certain time interval. The Firebase documentation on managing user sessions says:
Refresh tokens expire only when one of the following occurs:
The user is deleted
The user is disabled
A major account change is detected for the user. This includes events like password or email address updates)
But you can revoke the refresh token (since it's really just an OAuth2 token). See the documentation on revoking refresh tokens for more on that.
Before signing in, userChanges / idTokenChanges produces a null user, signifying that the user is not signed in. When the user signs in, the stream produces a valid User instance.
Is there any way that, based on an external event (i.e. not something the user did within the app), e.g. the user's access token being revoked, the stream can go back to producing a null user, effectively signalling that Firebase has signed the user out? Or would events like that instead be reflected in the ID token changing?
Firebase manages the user's authentication session and checks whether the user is still signed in at least once an hour. At this point it is indeed possible for the userChanged stream to get a null again.
There are multiple ways the user can revert to being signed-out, but a simple one to test with is disabling the user account in the Firebase console.
The Firebase Authentication documentation states that:
If no previous anonymous account on the platform (for your specific application) has been created, when signing in anonymously Firebase will create a new unique user which will be persisted across app restarts/page reloads. If the user signs-out and reauthenticates anonymously again, they will be signed-in with the previously created account.
Yet when I sign out as an anonymous user and sign in again, I get a new anonymous user, instead of getting signed in with the previously created account. Just to be clear, the sign-in is done by calling FirebaseAuth.instance.signInAnonymously(), and the sign-out is done by calling FirebaseAuth.instance.signOut().
That looks like a mistake in the FlutterFire documentation. Once you sign out from an anonymous account, that account's UID is lost and cannot be reclaimed.
My best guess at the intention of the documentation is that calling signInAnonymously multiple times will result in the same UID. But signing the user out, clears that UID and it can't be reclaimed. I submitted a PR to improve the documentation here.
I am using anonymous authentication with Firebase. I know that I can set x hours of session timeout.
To me, it doesn't make sense to timeout a user when he/she is active on the site. Is there a way to extend a user's session when the website is being used actively?
There is currently no way to extend or refresh a Firebase authentication token after it's been minted.
You can monitor .info/authenticated to detect when the user gets unauthenticated.