shorten auth's customToken expiration

[Bosco So]

Yup, that's right - I want it shorter. All the search results out there are asking how to make it longer, but I need to test our custom token handling when the expiration triggers. Thus, 1 hour is way too long; is there an easy way to shorten it to a minute or less?

Our node.js code looks something like this:

                firebase.auth()

                    .signInWithEmailAndPassword(email, password)

                    .then(function(validUser) {

                        validUser.getToken(true)

                            .then(function(customToken) {

                                // Send token back to client

                                res.writeHead(200,

                                              {'Content-Type': 'application/json'}

                                             );

                                res.end(...);

Given a valid email & password, validUser.getToken(true) returns a valid JWT; however, its expiration is 1 hour. Does getToken take an options literal that lets me modify the expiration?

[Jacob Wenger]

Hey Bosco,

Okay, there is actually a lot to unpack for what seems like a simple question, but here it goes:

Short answer: This is not possible at all with the built-in auth providers. It is possible (albeit a bit roundabout) if you are using custom authentication (which it sounds like you are not). That being said, if this is strictly for a unit test (and not a manual test), you could either use Sinon's useFakeTimers() method to mock the client-side time or use nock to mock the Firebase Auth request entirely.

Long answer: The built-in providers will (almost) always return custom tokens which expire after one hour and that time is not configurable. If you are using custom authentication though, you are minting your own custom tokens and can therefore control the expiration time (in theory). This is unfortunately not possible with our Admin Node.js and Java SDKs though since we explicitly do not allow you to specify a custom exp claim (as documented in the blue callout at the end of the Create custom tokens using the Firebase Admin SDKs section). This is mostly to avoid people given an exp that is over one hour though, not under an hour as in your case. There is nothing explicitly wrong with doing what you are trying to do and I'll start a discussion with some other people over whether we should allow this in the Admin SDKs themselves.

In the meantime, you could work around this by creating custom tokens using a third-party JWT library. This is not a one-liner like it is in the Admin SDKs, but it is actually not as hard as it may sound. If you want to see the exact code we use in the Admin Node.js SDK, just search for "FirebaseTokenGenerator.prototype.createCustomToken" in this file. We make use of the third-party jsonwebtoken node module ourselves. The code is a bit verbose since it is compiled TypeScript, but it be easy enough to read.

Since it sounds like you just want to do this to test your code, you probably don't want to go through any of the custom authentication effort I talk about above. If you are intending this to be a manual test, I don't have much to tell you other than what you want is not really possible and probably never will be in the Firebase client SDKs. However, if you are building a unit test, you have two good options. For one, you could use Sinon's useFakeTimers() method to mock the client-side time and act like the token you have is already expired. Alternatively, you could use nock to mock the Firebase Auth request entirely, returning an already expired token.

Lots of words, but hopefully you now understand what options you have.

Cheers,

Jacob

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/16b24302-c05a-4476-93d4-e4d630c16e9a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Bosco So]

Jacob, thank you. This is super helpful. I could not figure out the correct arguments to jsonwebtoken so that Firebase will auth properly. With the correct code in place, I shall have another go at it.

[Bosco So]

I finally got time to muck around with jsonwebtoken and am able to generate short duration custom tokens that authorizes properly on a node.js app.

Looks like there's a 5 minute window with regard to the expiration - in other word, If I set the expiration to 0 seconds, I find that I can still use that token to access my real time database for up to 5 minutes after. Just an observation.

The issue is: the same custom token that works with node (FB 3.7.1) doesn't seem to work in our Mac OSX app (FirebaseOSX 2.5.1). Does the older Firebase library that works with OSX have stricter custom token requirements?

-- Bosco

On Friday, January 27, 2017 at 5:41:14 PM UTC-8, Jacob Wenger wrote: