Invalidate an auth session?

[Lee Owen]

Is it possible to remotely invalidate a custom auth session created with auth(AUTH_TOKEN,...??

For example if data in the auth object has been changed by an admin, how would I invalidate the users session on their next visit?

[Michael "Kato" Wulf]

You can break down the JWT token on the client to examine the contents using a method like this:  https://gist.github.com/katowulf/6231937

Then you can examine it to see if it's still valid from the client. For example, let's contrive a path called YOURFIREBASE/authorization_codes which stores valid auth codes.

Assuming we've stored the assigned auth code in the token, we could check it against authorization_codes and see if it's still valid (exists). If an admin has revoked this, then we discard it and request a new token. Security rules would prevent client misuse of revoked tokens.

https://gist.github.com/katowulf/b39e03c9b65fef0dbf9e

--

Michael "Kato" Wulf

Firebase Team

On Wed, Aug 14, 2013 at 7:10 AM, Lee Owen <itsle...@gmail.com> wrote:

Is it possible to remotely invalidate a custom auth session created with auth(AUTH_TOKEN,...??

For example if data in the auth object has been changed by an admin, how would I invalidate the users session on their next visit?

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Lee Owen]

I do have access to the token server-side, and am hoping that the .auth() method is checking an internal token store, so that there was some way for me to invalidate that token, server-side.  

Something like:

var dataRef = new Firebase("https://mydatastore.firebaseio.com/");
dataRef.unauth(AUTH_TOKEN);

And then next time that the client visits, and runs .auth(AUTH_TOKEN) it would throw an error saying "yo, that ticket is invalidated, good day sir!".

https://www.firebase.com/docs/security/custom-login.html

[Andrew Lee]

Hi Lee -

We don't have any way of invalidating the *token* per-se. What Kato is suggesting though will have the same effect. Basically you include some data in your token that the rules require to match some data in Firebase. Then, if you want to invalidate the token you simply change the data in Firebase and Voila the token doesn't work anymore.

For example, you could have a token with this data:

{version: 15}

And in Firebase you could have:

/CurrentTokenVersion => 15

You'd then have rules that require that "auth.version == root.child("CurrentTokenVersion").val()"

If you wanted to invalidate that token, just change CurrentTokenVersion to 16, and the rules will fail and the token won't work.

-Andrew

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--

Andrew Lee

Founder, Firebase

http://twitter.com/startupandrew

[Lee Owen]

Thanks Andrew, that is very helpful.  

What is happening behind the scenes in auth(AUTH_TOKEN...).  What is that method reaching out to, and doing?  Does it hit the server?

--
You received this message because you are subscribed to a topic in the Google Groups "Firebase Google Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/firebase-talk/Th0HZs_jBNc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to firebase-tal...@googlegroups.com.

[Michael Lehenbauer]

Yes, it hits the server.  .auth() passes your auth token to Firebase, which validates that it is valid (not expired, the signature is correct, etc.), and then associates it with your Firebase session so that all future requests are treated as authenticated with that token.

-Michael