12

Bit of context, I am trying to use Firebase for both authentication and data storage. Since my application deals with potentially sensitive data, the confidentiality features offered by Firebase (all Firebase communication is done via HTTPS according to their blog) seems like a great way to keep my data secured. In fact, the only problem I have with Firebase is that authentication last far longer than it should. As far as I can tell, it lasts through device resets, application rebuilds and loss of connection. Even worse, I have no idea how long it persists for. I've tried searching online but I can't find the information anywhere. As far as I can tell, it lasts around a day, but that's just a guess. I am using email and password as credentials for my sign in.

My question has two parts, does anyone know the default duration of Firebase authentication and does anyone know how to shorten it? Otherwise are there any other services that are similar to Firebase where you can set the authentication duration?

If I could shorten the duration to 4 hours Firebase would literally be perfect, other wise I might have to implement my own authentication, since authentication that last's for as long as Firebase is far too insecure.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Alex
  • 121
  • 1
  • 3
  • I guess an idea would be to grab the token firebase generates and set a timeout on it. – U r s u s Jun 19 '16 at 12:59
  • Can you implement a simple flag set by .onDisconnect? i.e. when the user logs in, set a firebase flag; goodConnect = true. Then when the connection is interrupted by one of the issues you mentioned, have the onDisconnect set the goodConnect = false. When the user reconnects, if that flag is false, unAuth them and send them back to the initial login screen? onDisconnect runs on the server so it's autonomous of your app. – Jay Jun 19 '16 at 13:32
  • I'm not worried about losing the connection with Firebase, I've implemented some security myself to handle that (the app needs some functionality to work offline anyways). What I'm worried about is someone gaining access to the physical device (its a phone, I can't even be sure it will have a PIN) and have uncontested access to anything that user has access to. The timeout idea has promise could definitely work, I didn't realize you could do that, its definitely not in any of the firebase documentation I've seen. – Alex Jun 20 '16 at 05:58

1 Answers1

20

Firebase Authentication (for 3.x or higher SDKs) uses two types of tokens:

  1. A token that identifies the user. This token is created when the users signs in with the app and does not expire. To get rid of this token, sign out the user.

  2. A token that allows the user to access the Firebase back-end. This token is based on the previous token, is valid for an hour, and is automatically created and refreshed by the Firebase SDKs.

Brad Adams
  • 2,066
  • 4
  • 29
  • 38
Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • Thank you so much, this is something I can definitely work with, I just wish this information has been easier to find. Just as an extra, do you know if its possible to schedule sign out operation ahead of time? My though is I might be able to use a disconnect listener to sign a user out if they stay disconnected for an hour, but at the moment I'm not sure how to actually do it. – Alex Jun 20 '16 at 05:44
  • hi Frank van Puffelen, regarding your 2nd point i have one question, If i want to retrieve data or insert data then i need to use access token ? and yes then how to use it? – Anjali Bhimani Jun 20 '16 at 10:42
  • 2
    @FrankvanPuffelen I already know how I can enforce singOut from the client side, I hoping for a way for Firebase (or anything other than the device itself really) to enforce it. Client side I can just add an AuthStateListener that schedules a signOut. I'm thinking it may be what I use, but I'm not sure the listener will persist across resets. – Alex Jun 22 '16 at 10:29
  • 2
    How to refresh the token that allows the user to access the Firebase back-end automatically? – Eric Chong Feb 11 '18 at 09:46