search

gladly-team / next-firebase-auth

Simple Firebase authentication for all Next.js rendering strategies
https://nfa-example-git-v1x-gladly-team.vercel.app/
MIT License
1.34k stars 291 forks source link

How to SSR signout & redirect to login #592

Closed splacentino closed 1 year ago

splacentino commented 1 year ago

Describe the bug Some API call made in getServerSideProps can lead to an invalidation of the authorized user. User should be logout & redirected to login page.

Versions

next-firebase-auth version: 1.0.0-canary.18 Firebase JS SDK: 9.14.0 Next.js: 12.3.1

To Reproduce Steps to reproduce the behavior:

  1. Implement page / with a getServerSideProps wrapped in withAuthUserSSR.
  2. Implement page /login with a getServerSideProps wrapped in withAuthUserSSR + content wrapped in withAuthUser (for redirection only).
  3. Log in
  4. Get redirected to /
  5. Unexpected behaviour

Expected behavior Describing a flow on "how to signOut from server side & redirect to /login page with cleared user".

Debug and error logs No error logs.

Additional context

Login page (/login):

export const getServerSideProps = withAuthUserSSR({
  whenAuthed: AuthAction.REDIRECT_TO_APP,
})();

export default withAuthUser({
  whenAuthed: AuthAction.REDIRECT_TO_APP,
})(Login);

Main page (/):

  export const getServerSideProps = withAuthUserTokenSSR({
    whenUnauthed: AuthAction.REDIRECT_TO_LOGIN,
  })(async ({ AuthedUser, ...context }) => {
    // Assuming we have an issue that requires to logout

    await AuthedUser.signOut()
    return {
          redirect: {
            statusCode: 301,
            destination: '/login',
          },
     };
  });

Edit (additional question): How to perform an additional async check on freshly loggedIn user to possibly revoke access ?

      const auth = getAuth(getApp());
      await signInWithEmailAndPassword(auth, email, password);
      // From here, code is not performed well as we are redirected according to redirect URL.
kmjennison commented 1 year ago

I'm not sure how we'd handle this. This library relies on client-side Firebase authentication state as the source of truth for whether a user is authenticated or not. Even if we unset the user's auth cookies, how would we handle the user still being logged in on the client side?

jodik commented 1 year ago

You can redirect to client "logout" page and client will also log out the user

kmjennison commented 1 year ago

Closing this: this library will continue to rely on the client-side Firebase state as the source of truth for authentication.