4
  1. I successfully auth with phone-number. (I can check firebase.auth.currentUser that I'm logged in.)
  2. Then I'm calling my firebase admin route which have admin.auth().updateUser(uid, somevalues) to set user displayName and email.
  3. After this step finished and my user data changed displayName and email.(It is checked in firebase console) In my auth I run firebase.auth().currentUser.reload() to get updated user data and suddenly there is error auth/user-token-expired I have checked only after I use admin.auth().updateUser(....) my token is lost. If I do not run this command then I can do firebase.auth().currentUser.reload() without problem.

UPDATE: Only if I set email when calling admin.auth().updateUser(....) my token inside app becomes invalid. If I change only displayName token remains valid.

rendom
  • 3,417
  • 6
  • 38
  • 49
  • 1
    Do you also have email auth enabled in your Firebase account? If so, invalidation of the token would make sense as a security precaution. – majorobot Feb 04 '19 at 19:00
  • Oh. So I can t have phone auth and email auth at the same time? – rendom Feb 04 '19 at 19:03
  • 1
    No, actually you can have both (and Firebase actually suggests that). But, if your account is set to allow users to auth with email, I would think the token is reliant on that credential whether you knew it or not. So, changing the credential (email address) would invalidate the token. Otherwise, it makes it easier to steal another user's token and session. – majorobot Feb 04 '19 at 22:17
  • @misterfancypants what should I do then to not have this error and still able to change email? – rendom Feb 05 '19 at 03:35
  • Unfortunately I think Jeremy Lee is correct below: according to Firebase's documentation, this is not an error. You might want to warn your users that they will have to re-auth before they change their email. – majorobot Feb 05 '19 at 18:22
  • 1
    I understand but I never saw an app or site where after changing email I had to reauthorize. Its just a bad UX. What I did is extracted email update from cloud functions and executed it from client auth. So I updated email and did not reauthorized. – rendom Feb 07 '19 at 12:16
  • Strange, I've actually seen that behavior when I change my email more often than not (it's a pain, but is more secure). I think your workaround makes sense! – majorobot Feb 08 '19 at 17:40

1 Answers1

10

I'm not sure what the exact question is here, but reload() will use a refresh token, however, refresh tokens expire when "A major account change is detected for the user. This includes events like password or email address updates."

See: https://firebase.google.com/docs/auth/admin/manage-sessions

So when your refresh token expires (due to the 'major account change'), you need to re-authorize..

Jeremy
  • 3,438
  • 3
  • 34
  • 57