I need to know that if that possible to refresh the firebase access token from back-end using node.js. I can get the token from front end and I need to refresh it and verify if the token is expired.
condition : if the token expired then need to refresh it in the back-end. but the token is generating from front end.
You need the Refresh Token to get a new ID Token (Access Token). If you are using the Firebase Auth Client SDK, then it'll do all of this.
// This returns existing token if valid
// else it'll refresh the token and return an new one
const token = await auth.currentUser.getIdToken()
In case you still need to get new token in your backend server, then you can use Firebase Auth REST API.
Again, you'll need to store the refresh token in a secure place and I won't recommend doing this unless it's just for testing or you don't have any other way.
Related
I used Nodejs Express and ejs and passprot jwt.
I saved jwt token in the cookie by httpOnly the attribute.
And before the page is rendered,router.get('/',isauth.verifyToken(), adminController.checkUser);
,check if the token is valid.
If the token is not valid, redirect it to the login page.
exports.verifyToken = ()=>{
return passport.authenticate('cookie', { session: false, failureRedirect: '/users/login' });
}
Now, I want to use not only the access token but also the refresh token.
where should I save the refresh token?.
In my opinion, saving both access token and refresh token in cookies is not the answer.
Is it right to store refresh token in local storage?.
If local storage is correct, where should the logic of refreshing token?
If you have one backend that authenticates, issues tokens, and then consumes them, then there's no need to issue a separate refresh token. You can just rely on the access token. In fact, in such a setup, you're using an HTTP session, so you don't even need a JWT. If you have a separate authorization service that issues tokens, then it's best to store refresh tokens in your backend - in the service that will eventually call the authorization service to get new tokens.
In any way, don't store refresh tokens in the local storage. It's not safe to keep tokens there as they are vulnerable to XSS attacks.
I am using a simple JWT auth firebase. backend checks if its a valid user and gives back an access token using JWT. Now I want to implement a refresh token. How can I do it? What should be the content of the refresh token? When I sign a new access token and go to protected a page but when fresh it, it go to login page again.
what should I do to also sign a refresh token? please help me anyone.
when you are generating JWT auth token generate refresh token with 1d or with no expiry time according to you requirement. After this send JWT and JWT-REFRESH token in the response of login API, after this make an API in your backend which accepts the refresh token from header or from body and in response generate a JWT token, in case of bad refresh token return 401 status code.
At client side if you are using axios, you can use axios-interceptors as a middle to detect if 401 is coming from any API, then in that case hit the refresh JWT token API to generate new auth token.
If refresh token API gives again 401 response then handle it as REFRESH token is also expire and redirect the user into login page.
I have a flutter app with a node.js backend api. I'm using firebase Auth for authentication. The way it works now (which I don't know is standard,) is the user sends a request to firebase auth to login/signup. The jwt gets stored in the flutter app, then it sends that firebase jwt to my API, which verifies it's a valid token firebase.auth().verifyIdToken(), and my API sends over a new jwt created with firebase firebase.auth().createCustomToken(...) with custom info.
Before every response my API sends over, it checks if the custom jwt was created after 15 min. If it was, it recreates a new custom jwt. If it passed 7 days since it's original creation, it logs out the user.
The problem is, I don't see a way to regenerate a firebase auth token on the server. Which means every hour the user will have to re-login.
I feel I'm overcomplicating things, but I'm not sure of a better design of doing this. Is there a standard? How can I make this better and how can I make it that the user doesn't have to re-login after just 60 min?
The custom tokens created by createCustomToken() are used when you have a third party auth system but you want to login your users with Firebase auth.
The problem is, I don't see a way to regenerate a firebase auth token on the server. Which means every hour the user will have to re-login.
You don't have to do anything on the server. Every time you need to call your API, you can use getIdToken() to get user's ID token.
var token = await FirebaseAuth.instance.currentUser().getIdToken();
This will return user's current token and if it has expired then it'll a refreshed token. You can then pass the result to your API. There's no need to explicitly store the token anywhere yourself.
Whenever you are making an API request, the flow could be as simple as:
Get user's ID Token using getIdToken()
Pass this token in your API request
Verify it using verifyIdToken() and return the response.
I have a React Native application with JWT authentication access to my backend.
When the user authenticates the backend returns an accessToken and a refreshToken the idea is, that both tokens are stored in AsyncStorage along with the expirationTime stored for both tokens.
Right now the implementation is so there is a setTimeout function that checks if the token is about to expire and uses the refreshToken to update the accessToken.
This made me wonder how much of a security upgrade it is using refreshTokens.
If both are stored in AsyncStorage (on the client), both could be accessed, what is the point of having the refresh token?
If an attacker got access to the client storage, they could simply update the access token with the refresh token?
I have on nodejs the login api, where i generate the token and the refresh token, and register them in the cookie. Also i have a route: /refreshToken where i check if user have token and if it is expired i generate a new one. My question is next:
How do on front end to detect if the access token has expired and to renew it with refreshed token?
In the React application, you need to add a logic to check the token validation before entering the router. Make an API endpoint (like /authenticate) on the back-end side to check the access token validation and upon its result, routing needs to move forward or try token refresh. If token refresh fails again, it needs to navigate back to the login screen.
This is kind of a generic question so not sure if you need detailed explanation with code.