Firebase re-authentication required

15
votes

We are working on an iOS app that is using Google to authenticate with firebase. According to https://www.firebase.com/docs/ios/guide/user-auth.html#section-login Firebase says that auth tokens expire every 24 hours. We are wondering if the following scenario is something we need to consider:

  1. User authenticates with Google and Firebase
  2. Our app gets a Firebase auth token that expires in 24 hours
  3. User closes our iOS app
  4. 1 minute before the Firebase auth token expires, the user reopens the app
  5. A minute later we make a request to Firebase. The auth token has expired.

It seems we have to reauthenticate with Firebase by observing authentication changes per https://www.firebase.com/docs/ios/guide/user-auth.html#section-monitoring-authentication. But will we have to re-issue the same request to Firebase from #5 above? Also it seems we could reauthenticate in the cancelBlock:

[ref observeEventType:FEventTypeValue withBlock:^(FDataSnapshot *snapshot) {
    NSLog(@"%@", snapshot.value);
} withCancelBlock:^(NSError *error) {
    NSLog(@"%@", error.description);
    // reauthenticate and then re-issue request?
}];

This would not be ideal because we would have to write this code everywhere that we make a request.

What are the best practices to deal with this scenario? Does Firebase automatically refresh the auth token when it's close to expiry?

1
iosfirebasefirebase-authentication
Note: the default is 24 hours but you can change this under the Login & Authentication tab under Session Length - sjm
That is correct. However regardless of the interval, the question is whether there is going to be point in time where the google oauth token is valid but the firebase token expires. Our experiments with 30 second firebase timeout seems to indicate that we have to manually refresh firebase auth tokens - vjy
You have to manually refresh the auth token. You can monitor .info/authenticated to detect change state--a better answer than the cancel callback. - Kato
i have exactly the same issue. Everytime a user resume the application, i check the auth state, and reauth if it has expired. However, sometimes, user still get bombed for expired auth issue. - dshun
@sjm how do you change the length, I do not see it in the console - not sure if things have changed? - Lion789

1 Answers

0
votes

Obviously, the question was regarding an old version of Firebase and its SDK. The current version of Firebase (3.X) makes it easier for you since Firebase remembers how the user was last logged in your app.

So you should simply call FIRApp.configure() as always e.g. in your application: didFinishLaunchingWithOptions launchOptions: and then add a state listener also at the launch of your app like

FIRAuth.auth()?.addStateDidChangeListener() { (auth, firUser) in 
// do something with firUser, e.g. update UI
}

The listener will then automatically be invoked around the time of your application launch by Firebase whenever something changes about your user and the tokens are handled in the background by Firebase, i.e. you don't have to deal with expired tokens. (It may be more complex if you use a Custom Auth System).