0

I am creating an flutter app that uses firebase authentication. I have added a change email option and have some questions regarding the sessions.

Firstly, when the user changes their email the refresh token is revoked. The firebase documentation examples make use of the realtime database to keep track of the times when tokens are revoked. These are then checked in the database rules. The example to update the database can be seen below 

const metadataRef = admin.database().ref('metadata/' + uid);
metadataRef.set({revokeTime: utcRevocationTimeSecs})
  .then(() => {
    console.log('Database updated successfully.');
 });

https://firebase.google.com/docs/auth/admin/manage-sessions#detect_id_token_revocation_in_the_sdk

I'm not sure where to call this code when the email address is changed via the client sdk. Is there a email updated firebase function trigger that I am missing where this timestamp can be written?

I thought about just calling a firebase function but what stops this from being commented out before an attacker updates the email.

Thanks.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
ebg11
  • 906
  • 1
  • 12
  • 33
  • I'm having a hard time understanding what you're trying to accomplish here. What problem are you trying to solve with the above approach? – Frank van Puffelen Mar 31 '19 at 14:26
  • Hi Frank. If a user changes their email using the flutter SDK and then the change is reverted using the link that is sent to the original user, the user that made the change now has a session. I was wondering where it is best to update my database's user revoke times so that they cannot read/write – ebg11 Mar 31 '19 at 14:36
  • Try to reduce the context from your question. If you want to know whether you should signal ID token revocation to the client, ask only that. If you've already decided you want to to signal revocation from the server to your client, remove anything about why it might be revoked. A more focused (shorter) question is more likely to get answers. – Frank van Puffelen Mar 31 '19 at 14:52
  • While it is typically useful for the client to know that their token was revoked, this is not required to remove their ability to write to the database. For the latter you need to add a check for revocation in the database's security rules, which are enforced server-side. For an example of this, see the documentation right above the link you gave: https://firebase.google.com/docs/auth/admin/manage-sessions#detect_id_token_revocation_in_database_rules – Frank van Puffelen Mar 31 '19 at 14:53
  • Yes but as the security rules read from the database (in the example it is root.child('metadata').child(auth.uid).child('revokeTime').val() ) how should I go about updating the timestamp? – ebg11 Mar 31 '19 at 15:04
  • You'd do that from the same place where you revoke the token. So if you revoke the token in the backend, update the database from that same backend when you revoke the token. – Frank van Puffelen Mar 31 '19 at 17:08
  • Sorry for all the questions frank. It says that refresh tokens expire when "A major account change is detected for the user. This includes events like password or email address updates" so I assumed I did not have to revoke it myself and why I was asking about a function trigger. – ebg11 Mar 31 '19 at 17:28
  • The refresh token becomes invalid in such events, but any access/id token that was already minted will remain valid until the time specified in its `exp` property (default is one hour from when it was minted). See https://stackoverflow.com/questions/37733576/why-firebase-user-still-signed-in-after-i-deleted-it-from-firebase-dashboard and https://stackoverflow.com/questions/35960546/firebase-still-retrieving-authdata-after-deletion – Frank van Puffelen Mar 31 '19 at 17:49
  • Thanks Frank. Your help is appreciated :) – ebg11 Apr 08 '19 at 18:49

0 Answers0