How to simulate auth/user-token-expired

[bradstiff]

I'm using Firebase auth with Google Sign In and Facebook Auth. I'm signing in with the 3rd party provider, and then taking that credential and signing into Firebase. I add the Firebase user's idToken (via getIdToken, called every time) to every API request and then validate the token on the server.

Everything works perfectly.

But I have seen three cases where auth().currentUser.getIdToken throws an 'auth/user-token-expired' error. The error continues (ungracefully) until the user manually signs out and signs in again. In speaking with one of the users, he informed me he had changed his Google password previously.

So I have added code to catch this case and inform the user they need to sign in again. I am trying to verify my solution works as expected, but I cannot cause the error to happen.

I signed in with Google and subsequently changed the Google account's password. After an hour or so, I checked the app (where I was still signed in) hoping the error would occur when the app requested an idToken. But it doesn't occur.

How long does it take after changing your Google password for Firebase to no longer be able to generate idTokens?

Or am I missing something?

[mikehardy]

I wish I knew so I could help, but must admit I don't. However this is a more general firebase question, I think you might get more attention (ideally from the firebase folks themselves) on stackoverflow if you post it there and tag it appropriately. I know they use that as a semi-official support channel for questions similar to this, so it might be the best way to get an authoritative answer. Alternatively, the firebase-ios-sdk has the auth module open sourced (android does not!) so you might be able to see via direct code inspection

[bradstiff]

I'll post on SO.

Thanks for your time, Mike.

[bradstiff]

The place where I am seeing the error is in my API client where I am calling auth().currentUser.getIdToken() and adding an auth header.

But the logic I added (mentioned in my original post) needs to dispatch a Redux action, so I implemented a Redux middleware that subscribes to the onIdTokenChanged event. When the event occurs, I essentially verify I can get a token by calling auth().currentUser.getIdToken() and catching any errors. If I see the auth/user-token-expired error code, I dispatch my action. I don't do anything with the token here; I'm just verifying there are no problems.

My concern is either I won't get an idTokenChanged event, or the timing will be 'off,' and I'll get the event before the error starts occurring. And this is why I am trying to reproduce the scenario, to no avail.

Do you see any potential issues with relying on the onIdTokenChanged event for this purpose ?

[pierroo]

Hi @bradstiff did you manage to find a solution to this issue?
I also realized on my end I cannot rely on the "onIdTokenChanged" event, which seems to stop working silently after a while when the app is in background; and I didn't want to rely on using getIdToken() for every single remote calls...

[bradstiff]

I did not find a way to simulate that event. I gave up on it.

…

On Tue, Dec 28, 2021, 3:44 PM Pierre ***@***.***> wrote: Hi @bradstiff <https://github.com/bradstiff> did you manage to find a solution to this issue? I also realized on my end I cannot rely on the "onIdTokenChanged" event, which seems to stop working silently after a while when the app is in background; and I didn't want to rely on using getIdToken() for every single remote calls... — Reply to this email directly, view it on GitHub <#4989 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AEDU6IKZ2E4FB4FTTC6VBELUTI4WBANCNFSM4YT4LIXQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you were mentioned.Message ID: <invertase/react-native-firebase/repo-discussions/4989/comments/1881107@ github.com>

[CTOverton]

@bradstiff could you give more context for the solution you made? I notice this as well where if say a user is deleted from the backend and their token expires, the app never signs them out. I'm not sure where this is meant to be detected as I expected the onAuthStateChanged function to capture this. But maybe I just don't have it setup right.

@mikehardy is there any docs on how to handle the case when the token expires?

[mikehardy]

This, I believe, is still the correct response in the context of this repository, it also still represents my current knowledge: #4989 (comment)