adminSdk.auth().verifyIdToken() success after account disabled
630 views
Skip to first unread message
Naser Samara
Jun 17, 2021, 5:53:05 AM6/17/21
to Firebase Google Group
Hi
I use the adminSdk.auth().verifyIdToken() to protect my cloud functions.
but i noticed that verifyIdToken() fulfilled even after I disable the account on the
Authentication Users on firebase consul..
why that happens?
fireBase.auth().verifyIdToken(request.body.id)
.then((decodedIdToken) => {}
.catch((err) => {})
I also tried
fireBase.auth().verifyIdToken(request.body.id,true)
.then((decodedIdToken) => {}
.catch((err) => {})
Sam Stern
Jun 17, 2021, 5:55:53 AM6/17/21
to Firebase Google Group
Hi Naser,
ID tokens cannot be revoked. So even if you disable or delete a user, their current ID token will still pass verification until it expires, which is one hour from the time it was created. If the user tried to get a new ID token they would be denied, as their account has been disabled.
If you need to be able to disable users immediately and you can't wait up to one hour for the tokens to expire, you'll have to store a list of "banned" user IDs somewhere and check against that list before performing very sensitive actions.
If you need to be able to disable users immediately and you can't wait up to one hour for the tokens to expire, you'll have to store a list of "banned" user IDs somewhere and check against that list before performing very sensitive actions.
- Sam
--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/1a867377-15a4-45d2-8e83-a648d6189906n%40googlegroups.com.
Naser Samara
Jun 17, 2021, 6:31:35 AM6/17/21
to Firebase Google Group
I think that using fireBase.auth().getUser(request.body.uid) would be better than fireBase.auth().verifyIdToken(request.body.JWT).
because it returns the user status.. thus the user can be banned immediately after I disable its account.
so instead of sending JWT I will only send the UID of the user.
so protecting cloud functions with fireBase.auth().getUser(request.body.uid) would be better solution than fireBase.auth().verifyIdToken(request.body.JWT)..
what do you think? am I missing something?
thank you
Sam Stern
Jun 17, 2021, 6:39:28 AM6/17/21
to Firebase Google Group
Hi Naser,
Sending the UID alone is not secure! You will have to do both:
- Validate the JWT
- Extract the UID from the JWT
- Check that the UID is not banned
- Sam
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/d04c61c9-904e-4e6e-993e-c7c8a37e1c26n%40googlegroups.com.
Naser Samara
Jun 17, 2021, 8:04:29 AM6/17/21
to fireba...@googlegroups.com
why its not secure?
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CAHafJBr7%2BhBrJaS3gX5t1Ltp3EiU2JLg-DTe2ZOQ%3D7D78jdxng%40mail.gmail.com.
Sam Stern
Jun 17, 2021, 8:06:22 AM6/17/21
to Firebase Google Group
Hi Naser,
A UID is not generally a secret. It would not be hard for a user to guess the UID of another user, or just to try random UIDs with a script. That's why we always use ID tokens for authentication. The ID token is a signed assertion of the user's identity, it is impossible to fake or guess and much harder to steal.
- Sam
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CAN5CugTeor91UJEeXuMAhSX%3DKq-9GLKmCUrY4-rAztjh_9LjxA%40mail.gmail.com.
Hiranya Jayathilaka
Jun 17, 2021, 9:58:34 AM6/17/21
to fireba...@googlegroups.com
You can also revoke the refresh token of the user when disabling the account. Then verifyIdToken(token, true) would fail.
However, I wonder if Firebase Auth should set the tokensValidAfterTime for disabled users. I can check with the Auth team why that's already not the case.
Thanks,
Hiranya
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CAHafJBqjpWhuW%2BMz1M7i38cB%3D9FwtUGc-MUuDsboCNeYH8bMXw%40mail.gmail.com.
Naser Samara
Jun 21, 2021, 4:50:37 PM6/21/21
to Firebase Google Group
I am using Angualr 6 in my app..
my question is.. if the user have been opening the app more that hour, does the following code update the JWT?
constructor(
private firebaseAuth: AngularFireAuth) {
this.user = firebaseAuth.authState;
this.user.subscribe(
(userDetails:any) => {
if (userDetails) {
this.userDetails = userDetails;
//set the JWT variable
this.jwt = userDetails._lat
console.log(this.jwt)
}
else {
this.userDetails = null;
}
this.userAuthDoneSubject.next();
},(error) => {this.userAuthDoneSubject.error("AuthService:error authenticate"); }
);
}
Reply all
Reply to author
Forward
0 new messages