Add a logout method
Opened this issue · 6 comments
Hello. Thanks for the good work. I am thinking a logout method is a good addition.
Hi @mwanjajoel. Thanks for your feedback!!
Firebase does not currently have a token invalidation process. The token retrieved on login, is valid till it expires (regular JWT).
A work-around this is a good addition. Can you think of/come up with something? Cheers.
I am new to firebase but if there is a way to regenerate the login token but not send it back to the user it would invalidate the token they currently have (which should be deleted on the client side)
in my setup (basic email signin only) hitting the login route and performing a signInWithEmail generates a new token and refresh token invalidating any old tokens. So you could easily not send this information back and it would invalidate any token the user would have.
Hi @MrStLouis, are you sure about this? I'm not sure generating new tokens or refreshing existing tokens for a user invalidates previous tokens...
Firebase uses jwt which really has no invalidation mechanism. The only way to invalidate a token would be to manually save generated tokens on the server and delete as appropriate. The firebase admin sdk that decodes the token does not communicate with Firebase servers, so it's highly unlikely that the sdk invalidates tokens that have not expired.
ah I see what you mean. you can generate new tokens but if the user somehow attaches the previous token to their requests they are still technically 'valid'. logout is really only implemented client side and anyone can use old tokens as long as they aren't expired which is why the expiration time is usually short. token invalidation requires something else on the server which defeats the purpose of using firebase in the first place
you can however revoke refreshtokens which is probably as close to a logout method as we will get