firebase: admin.auth().updateUser() causes auth/user-token-expired

3
votes
  1. I successfully auth with phone-number. (I can check firebase.auth.currentUser that I'm logged in.)
  2. Then I'm calling my firebase admin route which have admin.auth().updateUser(uid, somevalues) to set user displayName and email.
  3. After this step finished and my user data changed displayName and email.(It is checked in firebase console) In my auth I run firebase.auth().currentUser.reload() to get updated user data and suddenly there is error auth/user-token-expired I have checked only after I use admin.auth().updateUser(....) my token is lost. If I do not run this command then I can do firebase.auth().currentUser.reload() without problem.

UPDATE: Only if I set email when calling admin.auth().updateUser(....) my token inside app becomes invalid. If I change only displayName token remains valid.

1
firebasefirebase-authenticationreact-native-firebase
Do you also have email auth enabled in your Firebase account? If so, invalidation of the token would make sense as a security precaution. - majorobot
Oh. So I can t have phone auth and email auth at the same time? - rendom
No, actually you can have both (and Firebase actually suggests that). But, if your account is set to allow users to auth with email, I would think the token is reliant on that credential whether you knew it or not. So, changing the credential (email address) would invalidate the token. Otherwise, it makes it easier to steal another user's token and session. - majorobot
@misterfancypants what should I do then to not have this error and still able to change email? - rendom
I understand but I never saw an app or site where after changing email I had to reauthorize. Its just a bad UX. What I did is extracted email update from cloud functions and executed it from client auth. So I updated email and did not reauthorized. - rendom

1 Answers

6
votes

I'm not sure what the exact question is here, but reload() will use a refresh token, however, refresh tokens expire when "A major account change is detected for the user. This includes events like password or email address updates."

See: https://firebase.google.com/docs/auth/admin/manage-sessions

So when your refresh token expires (due to the 'major account change'), you need to re-authorize..