How to SSR signout & redirect to login

Question

How to SSR signout & redirect to login

splacentino opened this issue 2 years ago · 3 comments

Describe the bug
Some API call made in getServerSideProps can lead to an invalidation of the authorized user. User should be logout & redirected to login page.

Calling AuthUser.signOut has not effect
Manual redirection to login page will redirect to application page as there is still a valid authed user.

Versions

next-firebase-auth version: 1.0.0-canary.18
Firebase JS SDK: 9.14.0
Next.js: 12.3.1

To Reproduce
Steps to reproduce the behavior:

Implement page / with a getServerSideProps wrapped in withAuthUserSSR.
Implement page /login with a getServerSideProps wrapped in withAuthUserSSR + content wrapped in withAuthUser (for redirection only).
Log in
Get redirected to /
Unexpected behaviour

Expected behavior
Describing a flow on "how to signOut from server side & redirect to /login page with cleared user".

Debug and error logs
No error logs.

Additional context

Login page (/login):

export const getServerSideProps = withAuthUserSSR({
  whenAuthed: AuthAction.REDIRECT_TO_APP,
})();

export default withAuthUser({
  whenAuthed: AuthAction.REDIRECT_TO_APP,
})(Login);

Main page (/):

  export const getServerSideProps = withAuthUserTokenSSR({
    whenUnauthed: AuthAction.REDIRECT_TO_LOGIN,
  })(async ({ AuthedUser, ...context }) => {
    // Assuming we have an issue that requires to logout
    
    await AuthedUser.signOut()
    return {
          redirect: {
            statusCode: 301,
            destination: '/login',
          },
     };
  });

Edit (additional question):
How to perform an additional async check on freshly loggedIn user to possibly revoke access ?

      const auth = getAuth(getApp());
      await signInWithEmailAndPassword(auth, email, password);
      // From here, code is not performed well as we are redirected according to redirect URL.

Answer 1 · 2022-12-30T21:26:18.000Z

I'm not sure how we'd handle this. This library relies on client-side Firebase authentication state as the source of truth for whether a user is authenticated or not. Even if we unset the user's auth cookies, how would we handle the user still being logged in on the client side?

Answer 2 · 2023-01-22T16:32:05.000Z

You can redirect to client "logout" page and client will also log out the user

Answer 3 · 2023-07-22T14:36:09.000Z

Closing this: this library will continue to rely on the client-side Firebase state as the source of truth for authentication.