0

I have a question, hopefully you can guide me, I am integrating an Angular application and a Node.js API, in both we use Firestore (firebase) we are integrating an Angular request (client) to an api rest (Node.js) when validating the tokens of the authenticated user (firebase) we have a problem since the token never expires, we do not know why it does not expire, although we log out in the Angular application it always returns as a valid token in Node.js.

From the client (Angular) we are using this code to send the token to the API (Node.js)

firebase.auth().currentUser.getIdToken(/* forceRefresh */ true).then(function(idToken) {
  // Send token to your backend via HTTPS
  // ...
}).catch(function(error) {
  // Handle error
});

The validation from the Rest API is like this:

// idToken comes from the client app
admin.auth().verifyIdToken(idToken)
  .then(function(decodedToken) {
    let uid = decodedToken.uid;
    // ...
  }).catch(function(error) {
    // Handle error
  });

The problem is that the token never expires, since Node.js always tells me that the token is valid, how should it validate if the user is still active?

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
user1088984
  • 37
  • 4

1 Answers1

0

A fresh token will expire after one hour. It will always have an expiration - it will never last forever.

Your client code is always requesting a fresh token using forceRefresh=true, which implies that if it's immediately sent to the server, then the server will always see it as valid.

What you're doing is fine. However, it's not necessary to get a fresh ID token for each call to the server. You can certainly reuse a token for the entire hour that it was given. The Firebase SDK will automatically refresh the token for you, so you can also just listen for token updates using onTokenChanged, and only use the most recent token you get from the token observer callback you provide.

Read also:

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441