Closed MrTheFirst closed 3 years ago
If you still want to go with session cookies then I think following steps would do the job
strapi.firebase.auth().createSessionCookie(idToken, { expiresIn })
.permissions.js
following same approach as used to verify idToken or inside the controller you want to auth guard.Thanks! I testing this solution: replace your code
try {
const idToken = ctx.request.header.authorization.split(" ")[1];
const decodedToken = await strapi.firebase
.auth()
.verifyIdToken(idToken);
ctx.state.user = { ...decodedToken };
if (decodedToken.strapi_uid) {
ctx.state.user.id = decodedToken.strapi_uid;
}
return await next();
} catch (error) {
return handleErrors(ctx, err, "unauthorized");
}
for this:
try {
const idToken = ctx.request.header.authorization.split(' ')[1];
const expiresIn = 60 * 60 * 24 * 14 * 1000;
let cookie = ctx.cookies.get("session") || '';
if (!cookie) {
await strapi.firebase
.auth()
.createSessionCookie(idToken, { expiresIn })
.then(
(sessionCookie) => {
cookie = sessionCookie
// Set cookie policy for session cookie.
const options = { maxAge: expiresIn, httpOnly: true, secure: false, domain: 'localhost' };
ctx.cookies.set('session', cookie, options);
});
}
const decodedClaims = await strapi.firebase
.auth()
.verifySessionCookie(cookie, true /** checkRevoked */)
ctx.state.user = { ...decodedClaims };
if (decodedClaims.strapi_uid) {
ctx.state.user.id = decodedClaims.strapi_uid;
}
return await next();
} catch (err) {
return handleErrors(ctx, err, "unauthorized");
}
Without new routes, but save Authorization header for all requests
Yes! That should work fine!
@lambrohan thank you very much for the work done! But with this solution, the authorization token lives for only 1 hour. Could you help implement authorization session cookies? https://firebase.google.com/docs/auth/admin/manage-cookies#node.js