Add a logout method #12
Comments
|
Hi @mwanjajoel. Thanks for your feedback!! A work-around this is a good addition. Can you think of/come up with something? Cheers. |
|
I am new to firebase but if there is a way to regenerate the login token but not send it back to the user it would invalidate the token they currently have (which should be deleted on the client side) |
|
in my setup (basic email signin only) hitting the login route and performing a signInWithEmail generates a new token and refresh token invalidating any old tokens. So you could easily not send this information back and it would invalidate any token the user would have. |
|
Hi @MrStLouis, are you sure about this? I'm not sure generating new tokens or refreshing existing tokens for a user invalidates previous tokens... Firebase uses jwt which really has no invalidation mechanism. The only way to invalidate a token would be to manually save generated tokens on the server and delete as appropriate. The firebase admin sdk that decodes the token does not communicate with Firebase servers, so it's highly unlikely that the sdk invalidates tokens that have not expired. |
|
ah I see what you mean. you can generate new tokens but if the user somehow attaches the previous token to their requests they are still technically 'valid'. logout is really only implemented client side and anyone can use old tokens as long as they aren't expired which is why the expiration time is usually short. token invalidation requires something else on the server which defeats the purpose of using firebase in the first place |
|
you can however revoke refreshtokens which is probably as close to a logout method as we will get |
Hello. Thanks for the good work. I am thinking a logout method is a good addition.
The text was updated successfully, but these errors were encountered: