I'm using the built-in Firebase password authentication and I'm wondering what a "reasonable" timeout for logging in via authWithPassword(). I had thought initially that this would be sub-second but now it appears there is a lot of volatility and even at 3 seconds I'm getting a lot of timeouts.
note: I suspect this might not be the highest priority because for typical client app the logging in process is a one-time affair but for micro-services the headroom of 3 seconds is pretty substantial (most operations overall run time is 1-2 seconds). Happy to be wrong.
This is fairly subjective to the app, but Firebase login should be faster than 3 seconds. If you're consistently seeing long times and connection errors, then you should contact support#firebase.com.
You can also let Firebase handle the timeout and/or errors for you in the callback:
var ref = new Firebase("https://<YOUR-FIREBASE-APP>.firebaseio.com");
ref.authWithPassword({
email : "bobtony#firebase.com",
password : "correcthorsebatterystaple"
}, function(error, authData) {
if (error) {
// this is your login issue
console.error("Login Failed!", error);
} else {
console.log("Authenticated successfully with payload:", authData);
}
});
Related
How long do the firebase credentials last in the web client, I am making a web application that is planning to stay offline for months and when they get back online it will be updated. What I need to know is how long they last, can the time be increased?.
I have looked in the firebase documentation but I have not been able to find the desired information
I mean these credentials https://i.stack.imgur.com/dZqH5.png
This information is from the documentation right here:
firebase.auth().setPersistence(firebase.auth.Auth.Persistence.LOCAL)
.then(function() {
return firebase.auth().signInWithEmailAndPassword(email, password);
})
.catch(function(error) {
// Handle Errors here.
var errorCode = error.code;
var errorMessage = error.message;
});
The word "Local" indicates that indicates that the state will be persisted even when the browser window is closed or the activity is destroyed in React Native. An explicit sign out is needed to clear that state.
So the user stay logged in forever unless the browser is re-installed or data is cleared.
There are other two mode alongside 'Local' - 'Session' and 'Null'. You can read about them in the link provided above.
By the way, it's "LOCAL" by default.
Not sure if this is what you're looking for, but it appears the behavior of firebase credentials is customizable.
I'm using SignalR 2.2.2 to send users messages from my backend. When a user is logged in, and if other conditions are met, their connection is added to a group with the user's userId on my message hub.
It works great, as long as they have ~10 or fewer tabs/windows open. Any beyond that, they're stuck in "Loading..." indefinitely.
It seems to just be getting stuck on $.connection.hub.start();
I don't necessarily need to allow each user an infinite amount of signalr connections, but breaking the entire site for them on 10 open tabs is a problem.
OKAY BUT HERE'S THE THING. When I change my project's server setting from Local IIS to IIS Express, this problem vanishes! BUT! When we build the solution & put it on the test server, it's still broken.
What is going on???
I've tried catching or handling an error, but it still just hangs there.
$(function () {
if (loggedInUser != null)
{
var user = loggedInUser.UserId;
var messaging = $.connection.messageHub;
if (conditions) {
$.connection.hub.start().done(function () {
messaging.server.joinGroup(user);
});
}
}
});
I can get this to work with IIS Express. Now I need it to work like that on my test (and then later production) Server.
What else can I even try?
We experience problems with authentication when on Android:
FirebaseAuth firebaseAuth = FirebaseAuth.getInstance();
FirebaseUser firebaseUser = firebaseAuth.getCurrentUser();
Task<GetTokenResult> tokenTask = firebaseUser.getToken(true)
.addOnCompleteListener(TaskExecutors.MAIN_THREAD, null);
try {
token = Tasks.await(tokenTask).getToken();
} catch (Throwable e) { }
and on Java server:
Task<FirebaseToken> authTask = FirebaseAuth.getInstance().verifyIdToken(principal.getClientToken());
try {
Tasks.await(authTask);
} catch(ExecutionException | InterruptedException e ) { }
if (authTask.isSuccessful()) {
firebaseToken = authTask.getResult();
} else {
log.error(authTask.getException().getMessage());
}
The problem is that we got in log (that corresponds to above logging statement):
Token has expired or is not yet valid
We also dump device number and resulted token and can use it successfully afterwards with requests on server so Java server validate this token...
What is meaning of is not yet valid? Do we need to wait some time before token become valid?
Because of firebaseUser.getToken(true) on Android we can't authenticate mobile client.
We change this to firebaseUser.getToken(false). This call return same token between calls for a long period of time and after some delay (near 40 sec) from first attempt token is validated by server. So after several attempts mobile application is able to authenticate.
The time necessary to wait for token to become valid within a minute and this can be issue with time mismatching on Google servers...
On Android we work with:
compile 'com.google.firebase:firebase-core:9.2.0'
compile 'com.google.firebase:firebase-messaging:9.2.0'
compile 'com.google.firebase:firebase-auth:9.2.0'
on server we work with:
compile 'com.google.firebase:firebase-server-sdk:3.0.1'
After debugging issue further we found that local authentication server depends on hardware time.
Our hosting virtual server late on 7 min from current time.
Fixing VM hardware time settings is resolved our problem.
It is not wise for Google to depend on malformed local server time. At least on broken VM time is consistent, they most probably compare time with other parties so we resulted in error.
I'm trying to update my angularjs app to support Firebase 1.1 (I was stick with Firebase 1.0.x).
It deprecates firebasesimplelogin, including authentication inside Firebase core.
I have been able to successfully implement authentication using
authWithOAuthPopup("<provider>", function(error, authData) { ... });
It accepts a callback, which is passed authentication data in authData.
On the contrary, I can't undersand how to use
authWithOAuthRedirect("<provider>", function(error) { ... });
Firebase Authentication docs page is very concise... :-(. This is all what is said:
Alternatively [instead of authWithOAuthPopup], you may prompt the user to login with a full browser redirect, and Firebase will automatically restore the session when you return to the originating page
How do I get authData, when Firebase - after redirection - returns to my page?
The authData is available by registering a listener directly on the ref (so before calling authWithOAuthRedirect).
ref.onAuth(function(authData) {
...
}
ref.authWithOAuthRedirect("google", function(error) { ... });
See https://www.firebase.com/docs/web/guide/user-auth.html#section-monitoring-authentication
I think I'm running into the same issue as you. I'm trying to do Facebook authentication.
First, I'd like to clarify the reproduction steps for my issue.
My app is loaded on the client.
User clicks login with Facebook.
ref.authWithOAuthRedirect('facebook', ...) is called.
Client is redirected to Facebook and Facebook redirects client back to Firebase app
Despite successful authentication with Facebook, the callback passed to onAuth() is invoked (only once) with authData === null.
The callback passed to onAuth() is not invoked a second time with correct authData.
However, reloading the app causes the callback passed to onAuth to be invoked with correct authData. The reasons for this are not known to me but I suspect race condition.
Here's my workaround.
Before calling ref.authWithOAuthRedirect('facebook', ...) set yourself a flag in sessionStorage.
sessionStorage.reload = true;
ref.authWithOAuthRedirect('facebook', ...)
When the client is redirected to your app back from Facebook, you should be able to check for this flag and reload the page if necessary.
if (sessionStorage.reload) {
delete sessionStorage.reload;
setTimeout(function() {
location.reload();
}, 1000)
}
setTimeout(function() { ... }, 1000) helps fight the assumed race condition. I found 500 ms is insufficient time for the race condition to be resolved.
And one small gotcha: if you reload the page too soon, then authData remains null no matter how many times you reload the page.
We are getting hit with a scenario where a user logs off and previous good session cookie ( including sliding time window) is replayed and our code jumps right to the requested page as the user. We are not maintaining session state in the server. This Asp.Net forms authentication.
I was thinking that the only solution to this is to add columns to the server to track a users log status. Not real hard but requires code, db, and deployment to accomplish.
Is this the best way to handle this? Since we will have to crack into code anyway, we could add client request ip's and other stuff to the cookie. But the current spoof is to reuse the clients machine as well as the session.
Any thoughts?
Thanks in advance
bille
Javascript code that checks for inactivity -> logout
$j(document).ready(function () {
/******************************************************************
Auto-logout after the user's session times out
******************************************************************/
var timeOut = (_TIMEOUT - 5) * 60;
var setTimeout = function () {
$j(".session-timeout").stopTime().oneTime(timeOut + "s", function () {
$j(this).show();
$j(this).oneTime("300s", function () {
window.location = $j(this).find("a.logout").attr("href");
});
});
};
$j(".session-timeout a.refresh-session").click(function () {
NextGen.CHS.UtilitiesWebService.RefreshSession(
function () {
$j(".session-timeout").fadeOut();
setTimeout();
},
function () {
}
);
});
setTimeout();
});
I ended up fixing this by tracking users log in/out state and activity timestamps. When a replayed session is received, we still decrypt the forms ticket and find valid "session" information. This identifies the user, we then check if logged out and if so redirect to log in page.
For cases where the user kills the browser without logging out, the activity time stamp is used in a sql job that sweeps the user table logging out inactive users.
weidson