BrandonTang89
commented
7 months ago This also ties in with #12. If there is an error regarding the validity of a token on the server side, the client should get a meaningful message and the client should try to refresh the token or direct the user to login again.
We could also take the chance to enhance the login with the option for "remember me" to determine whether or not the token should be refreshed.
TheMann77
The Firebase authentication ID token expires after 1 hour. Currently, the client experiences error messages without any information on what happened.
It is possible to use the refresh token to get another new authentication token via the rest API:
https://firebase.google.com/docs/reference/rest/auth#section-refresh-token https://firebase.google.com/docs/auth/admin/manage-sessions
I think that the easiest way to deal with this is to have a route in the server that the client can use to exchange a refresh token for a new token.
The client should store the id token, refresh token and the expiry time of the id token. On every page the client loads, the script should set up a function to run when the token expires (based on time). This means if the user's token expires while they are on a page from our website then it should be refreshed without them knowing.
The alternative solution is maybe to always send the refresh token on every query. Then we can try to use the refresh token if the regular one fails. But this like it is not the way a refresh token is intended to be used, though I cannot see an issue with doing so.