renkelvin
commented
1 month ago The 5 minutes is enforced by expirationTime, while the 30s is to refresh the token if it will expire in 30s.
Open anuraaga opened 1 month ago
renkelvin
commented
1 month ago The 5 minutes is enforced by expirationTime, while the 30s is to refresh the token if it will expire in 30s.
anuraaga
commented
1 month ago @renkelvin Do you mean StsTokenManager.expirationTime? That is set to the STS response from here
Do you mean the server returns an expires_in in the response that is 5 minutes before the exp claim in the token itself?
Operating System
Any
Browser Version
Any
Firebase SDK Version
92e2279a299dbe88e01bf7ed3da4be42d4de86c9
Firebase SDK Product:
Auth
Describe your project's tooling
This report is based on examining the code in GitHub and not an actual direct usage. We noticed expired tokens being sent to our backend and investigated the code and found this.
Describe the problem
The documentation says that firebase ID tokens should be refreshed if they would expires within 5 minutes.
https://github.com/firebase/firebase-js-sdk/blob/master/packages/auth/src/core/user/id_token_result.ts#L31
But looking at the code that actually fetches, it appears to use a buffer that is 30s
https://github.com/firebase/firebase-js-sdk/blob/master/packages/auth/src/core/user/token_manager.ts#L49
Is this intended or is it missing a
0accidentally?Steps and code to reproduce issue
We don't have a direct reproduction but notice expired tokens being sent to our backend (no request takes more than 5 minutes to process) and examined the code to see why it may be.