5

I am using the firebase custom auth to generate a custom token and I was wondering if there was a way to manually update the token by shortening it based on a specific time a session has finished. e.g. if a session finishes for like 20 seconds or maybe 5 mins, I could manually update the expiry time of the token

If that is not possible, is there also a way to set a custom constant expiration time for the token e.g. 1 min rather than the 1 hour expiration time

Jama Mohamed
  • 3,057
  • 4
  • 29
  • 43
  • 2
    Expiry time on the custom token has no impact on the duration of an authenticated session. It just means how long the custom token will remain valid before it cannot be used to initiate a login. – Hiranya Jayathilaka Mar 18 '19 at 17:29

1 Answers1

7

I quickly checked the source of createCustomToken in the Admin SDK and it seems the one hour expiration time (exp) is hard-coded in there. So if you want to modify that, you'll have to create your own fork of the Admin SDK.

The alternative would be to mint your own custom token as shown in Create custom tokens using a third-party JWT library. That way you can set the exp claim to the value you want.

A third option is to use session cookies, which allow you to set your own expiration interval.

And the final option I can think of is to file a feature request on the Admin SDK.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • 4
    I'd like to point out that options 1 and 2 won't work. The google backend currently only accepts expiration in seconds up to 1 hour. Anything more than that will give you an auth/invalid-custom-token error when trying to login with the minted token. – castillo.io Jul 27 '21 at 19:59
  • Also, there's a feature request to set the length of the expiration but it contains a max length of 1 hour. Issue: https://github.com/firebase/firebase-admin-node/issues/1016 – castillo.io Jul 27 '21 at 20:01