Session cookie refresh

[francescovenica]

Hello I'm using Firebase Auth (actually gcp identity platform) with the session cookie in a NextJS app, everything is working fine but I'm looking a way to refresh the cookie to avoid forcing the user to login again when the session expire. There isn't an official way to do that but I might have found a solution, I'm just not 100% sure this is secure enough or if there are issues I'm missing, the idea is to have a refresh endpoint with this code:

    const idToken = req.cookies.session || req.body.sessionCookie;
    const session = await auth().verifySessionCookie(idToken, true);

    if (session) {
      const customToken = await auth().createCustomToken(session.uid);

      const response = await fetch(
        `${GOOGLE_API}:signInWithCustomToken?key=${process.env.NEXT_PUBLIC_API_KEY}`,
        {
          method: "POST",
          cache: "no-cache",
          headers: { "Content-Type": "application/json" },
          body: JSON.stringify({ token: customToken, returnSecureToken: true }),
        },
      );

      const result = await response.json();
      const sessionCookie = await auth().createSessionCookie(result.idToken, {
        expiresIn,
      });

      setCookie(res, "session", sessionCookie, {
        ...cookieOptions,
        maxAge: expiresIn,
      });

      return res.json({ session, customToken, sessionCookie });
    }

then every time I want I can call this refresh endpoint and the session will be updated...it seems to work but I'd like to have some feedback on this.

[google-oss-bot]

I found a few problems with this issue:

• I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
• This issue does not seem to follow the issue template. Make sure you provide all the required information.

[gustavopch]

Also curious about this. I hope someone from the team can leave comment.

[brad-technologik]

Also looking for this. I can't find a way to force a id token / cookie update when I have changed claims on the user (eg they change their name, so I want to update the cookie with it).

[jordanebelanger]

This is badly needed.

I cannot just force my users to re-login every 2 weeks regardless of their activity on our systems, this is an unacceptable sub standard quality pattern. This is exacerbated if you have requirements for shorter session duration.

Right now, (exactly like @francescovenica ) to circumvent this, we have a custom solution that refresh session cookies through a custom token authentication for that user once his cookie is close to expiring, but even then, the firebase-admin lib does not have the sign in with custom token endpoint exposed directly, so we have to do an API call manually for this after creating a custom token.