When to refresh expired Firebase3 (Web) Token for API request

6
votes

I'm currently using firebase.auth().createUserWithEmailAndPassword(email, password) to authenticate users and using the JWT token from firebase.auth().currentUser.getToken(true) for API requests. However, Firebase is invalidating the token after 1 hour. So I'm wondering how should I refresh the token. Do I have to use my own custom token generation to properly utilize token refreshing?

I'm currently using this though I only tested it once but it seems to work.

firebase.auth().onAuthStateChanged(function () { // Refresh token here })

I've been reading the docs over and over again and haven't seen any mentions of refreshing the tokens for the Web Apps. I've also looked at example repositories for firebase and have not seen anyone use onAuthStateChanged for something like this. So I'm wondering is this the right approach for client side token refresh? The reason why I feel this might not be the best approach is because this might have a race condition. For example if the token expires and I send an API request with the old token before I refresh the token then my API request will have an auth failure for token expiration.

This is very similar to the question in Firebase DB HTTP API Auth: When and how to refresh JWT token? but slightly different in the sense that the question is for using Python and no mentions of onAuthStateChanged.

Thanks!

1
javascriptfirebasefirebase-authentication
Typically if a token is expired, you have to call firebase.auth().currentUser.getToken() to get a fresh one. It takes care of returning a fresh token back to you each time you call it. Firebase id tokens are sensitive data and you should be careful how you pass them around. - bojeil
@bojeil Ya that's what I'm doing but I'm trying to find out when the token expires so I can refresh the token. Because I don't see anywhere in the docs on how to check when the tokens expires. I want to verify if there's a better way above or am I supposed to always refresh the token before every API request which doesn't seem optimal - Kenneth Truong
getToken checks internally if the token is expired and refreshes it and returns a new one. The token lasts for an hour. - bojeil
So you're suggesting I do this? using setTimeout(function() { // refresh token }, 60 * 60 * 1000); (Probably maybe have it refresh every 50 minutes instead of 60 minutes) But I'm not sure how comfortable I feel about refreshing the token based on knowing that the token lasts for one hour when it doesn't explicitly mentioned in the code/token. This technically will break in the case that Firebase changes the token to expire at a different time instead of 1 hour. - Kenneth Truong
When the token is returned from the backend server, the expiration time is returned with it too. The library will keep track of that. If the expiration time is exceeded, it will call the backend for a new one. If you force refresh by passing true, it will send a request to the backend. Otherwise the token is cached and returned without querying the backend. - bojeil

1 Answers

1
votes

For those who came into this post looking for an answer. You can grab the token right before all your API calls to get the token. 

// Make sure you don't pass in true which will always refresh the token
firebase.auth().currentUser.getToken()

Firebase will internally determine if the token needs to be refreshed or grab from cache. If you notice Firebase will not send any network requests until the token is expired.