FR: Migrate to shared Keychain without clearing signed in user

firebase / firebase-ios-sdk

Firebase SDK for Apple App Development

https://firebase.google.com

Apache License 2.0

5.62k stars 1.47k forks source link

FR: Migrate to shared Keychain without clearing signed in user #9793

Open WillBishop opened 2 years ago

WillBishop commented 2 years ago

Feature proposal

Firebase Component: Auth

Currently migrating to a shared Keychain means clearing the current user. For an app in production with thousands of MAU, signing out all of those users to migrate their keychain.

Would it be possible to move the login tokens from a non-shared keychain to a shared keychain, as it seems possible to move in the other direction.

WillBishop commented 2 years ago

Any update on this? Is this even theoretically possible or not?

morganchen12 commented 2 years ago

Hey Will, sorry for the slow response. As far as I know this should be possible, but we haven't gotten around to evaluating/scheduling this work.

WillBishop commented 2 years ago

Ah ok no worries. I only ask because I have 1000s of active users, and forcing them all to log in again is not ideal.

mariusiordache commented 2 years ago

I am also interested in this since we have around 100k+ active users, and the worst part is they are mostly anonymous.

WillBishop commented 2 years ago

Hey @morganchen12 and @rosalyntan is there any update on this? My app has grown to over 20k users and I can't make them all log in again, but switching the keychain would be awesome

mariusiordache commented 2 years ago

I have made a quick fix. It seems to work, but I think it will cause some problems when users try to logout, since the logout will happen on the shared keychain, and a user will still be logged in in the private keychain.

Right after initializing the library, add this code.

let tmpUser = Auth.auth().currentUser

Auth.auth().shareAuthStateAcrossDevices = true

do {

    try Auth.auth().useUserAccessGroup("XXX.my.app.id")
} catch let error as NSError {
  print("Error changing user access group: %@", error)
}

if let oldUser = tmpUser {
    if Auth.auth().currentUser?.uid ?? "" != oldUser.uid {
        // this happens when we migrate from unshared keychain to a shared keychain
        Auth.auth().updateCurrentUser(oldUser)
    }
}

WillBishop commented 2 years ago

I believe I've tried very similar code and it didn't survive after an app reboot

rtharston commented 1 year ago

The 'fix' for #10582 forces our users to log out because a new key is created. I'm hoping that we can find a fix/mitigation similar to this request that will let us upgrade to Firebase 10.5.0+ without logging our users out.

EDIT: A coworker found #10979. Looks like they tried to fix the log out issue in Firebase but couldn't. I am going to experiment with something similar to the workaround Marius shared.

paulb777 commented 1 week ago

cc: @ncooke3