2

I am trying to stop a nodejs server operation using firebase-admin, I am not using firebase-functions because it doesn't fit my requirements

I have successfully created an idToken and verified it in the server using the firebase code.

admin.auth().verifyIdToken(idToken)
  .then(function(decodedToken) {
    var uid = decodedToken.uid;
    // ...
  }).catch(function(error) {
    // Handle error
  });

The problem is that when I logout on the client the idToken is still live for the remainder of the 60 minutes lifetime.

How do I destroy an IdToken so the server operation stops working?

Jason
  • 931
  • 2
  • 12
  • 26
  • There's no way to invalidate an ID token from an SDK as far as I know. What is the server operation you're trying to cancel by revoking the token? – Hiranya Jayathilaka Jun 16 '17 at 18:00
  • It's a mongodb call via aws lambda/api-gateway, ideally I would like to invalidate the idToken on logout to enable me to have a "unauthorised" flag if the http request was made with the last idToken at logout or any previous idTokens if a refresh was forced. I tested previous idTokens after a refresh and they are still valid idTokens until they expire chronologically. – Jason Jun 16 '17 at 22:19

1 Answers1

1

There is no API to invalidate/revoke an ID token. You will have to implement this unauthorized behavior in some other way. Perhaps you can set a value in Firebase database at logout, and look for it in subsequent calls. For completeness, here are some previous discussions on this topic:

https://groups.google.com/forum/#!topic/firebase-talk/hPNd5-RNgBs How to revoke an authentication token?

Hiranya Jayathilaka
  • 7,180
  • 1
  • 23
  • 34