Getting auth_time using Firebase web SDK

[Eryi Toh]

The User.getToken() method returns an JWT that when decoded, contains a auth_time property.

1. Is there a more direct way of getting auth_time without getToken() then decode the JWT?

2. Is this a reliable way to log the user out after a period of time? Does auth_time ever get "automatically" refreshed without the user explicitly authenticating himself?

[Alfonso Gomez Jordana Manas]

Hi Eryi, answers inline:

On Wednesday, September 7, 2016 at 4:33:52 PM UTC+2, Eryi Toh wrote:

The User.getToken() method returns an JWT that when decoded, contains a auth_time property.

1. Is there a more direct way of getting auth_time without getToken() then decode the JWT?

Not at the moment.

 

2. Is this a reliable way to log the user out after a period of time? Does auth_time ever get "automatically" refreshed without the user explicitly authenticating himself?

auth_time only gets updated when the user explicitly authenticates himself. 

I am curious, could you explain a bit more about your use case to log the user out after some time?

Thanks!

[Joe White]

[Just another user here] You might want to think about decoupling deep decoding into the authorization flow, and instead create and manage your own "session time" within your database. Off of a separate User "info" node, you might put current session information .. set the start time when you detect that the user has logged in (listen for auth changed), and run a separate session time on that time + your "warn" time (to send the user a message before they are logged out), and a "force stop" event, where you would disconnect the user.

That way, you are not at the mercy to changes in the internal "authorization" process that Firebase uses.

On a separate note, you might look at making a feature request to the Firebase team to include a "getSessionTime()" function or a set alarm time that you can listen for directly.

just some thoughts

[Eryi Toh]

I think Firebase auth is already sufficiently decoupled as it is. JWT is an open standard that can be used by anyone. If you are not satisfied with Firebase's auth for any reason, you could easily create your own and issue your own compatible JWT with minimal changes to server side logic.

I just wish that Firebase has a User.getDecodedToken() method. This will save me the pain of importing a JWT library just to decode something that they have already decoded.

[Frank van Puffelen]

Given that the token from Firebase has been verified by the server, you can decode it without verifying with a simple function:

  function parseJwt (token) {

    var base64Url = token.split('.')[1];

    var base64 = base64Url.replace('-', '+').replace('_', '/');

    return JSON.parse(window.atob(base64));

  };

Source: http://stackoverflow.com/questions/38552003/how-to-decode-jwt-token-in-javascript

[Eryi Toh]

For users attempting more sensitive operations, I would like them to have been authenticated recently. The motivation is very similar to Firebase's own "auth/requires-recent-login" error.