3

I'm using sessions/cookies to authenticate my Firebase users.

The persistence on the client is set to "none" (auth.setPersistence(inMemoryPersistence)) and I'm using admin.auth().verifySessionCookie() on the server to validate each request.

The issue is that on the client/browser, auth.currentUser is always null.

Normally I wouldn't care about auth.currentUser, because I'm sending all the user info I need from the server to the client anyway. But if I want to use @firebase/storage, then the user needs to be authenticated locally on the client in order to be able to upload files and match the security rules.

What mechanism should I use to be able to set the currentUser on the client?

Maxime Dupré
  • 5,319
  • 7
  • 38
  • 72

1 Answers1

1

auth.currentUser is always null

That will be null as you are not logged in with the Firebase SDK itself. As mentioned in the documentation, they are meant for traditional websites that use session cookies. You are not logged in with the Firebase SDK itself.

What mechanism should I use to be able to set the currentUser on the client?

You can add an API endpoint in your server (e.g. GET /auth/user) that'll return user information if the cookies is present else null and redirect user to login page.

But if I want to use @firebase/storage, then the user needs to be authenticated locally on the client in order to be able to upload files and match the security rules.

Don't set the persistence to NONE. That way you'll still be logged in with the client SDK and your requests will still be authenticated (unless you want to use the REST API and handle it yourself).

However, it's not the best way to use both the methods as using signOut() from the SDK won't discard the session cookie and you must handle that explicitly. You can also route your Firebase Storage requests through the server depending on the use case.

Dharmaraj
  • 47,845
  • 8
  • 52
  • 84
  • Thank you for the response Dharmaraj I understand why `auth.currentUser` is set set `null` when persistence is `NONE`. If I understand you correctly, there is no way of actually setting the current user (e.g. using `updateCurrentUser(auth, user)`) from the session/cookie? The only way is to enable persistence on the front end, this way you are both logged in via the cookie (server) and indexdb (frontend)? Is there no way to set the `currentUser` by using the session (or returning additional data from the server)? Thanks again – Maxime Dupré Sep 25 '22 at 18:14
  • 1
    @MaximeDupré as I mentioned in the answer, you would have to get user's data from server side using an API call. You can verify the cookie using Admin SDK and return user data. Similarly, you can add another API route (e.g `POST /user/profile`) to [update user's profile using the Admin SDK](https://firebase.google.com/docs/auth/admin/manage-users#update_a_user) on server side itself. The cookies are generally used when your web app requires SSR so you can access user's information before rendering the page. I would recommend using either of the methods depending on the use case. – Dharmaraj Sep 25 '22 at 18:24
  • I hear you about getting the user's data from the server side, but I'm asking if there's a possibility to set the user client-side *from* the cookie/other data sent by the server. When I say set the user, I mean literally setting the user such that `auth.currentUser` would actually return the current user. There is a method called `updatedCurrentUser` on the JS SDK, so perhaps there is a way to derive the user from the cookie/other info sent by the BE and set it on the FE? I am doing SSR btw – Maxime Dupré Sep 25 '22 at 19:16
  • 1
    @MaximeDupré the easiest way would be to keep user logged in with the Client SDK but it might not be best to do so as they can get out of sync i.e. the cookie expires but user is still logged in on client. I haven't tried constructing a [User](https://firebase.google.com/docs/reference/js/auth.user) object myself (there isn't any built-in constructor exposed from the SDK) but unsure if that'll work. – Dharmaraj Sep 25 '22 at 19:28
  • Got it! I figure another way would be to use pre-signed URLs to upload from the front end? This way I can keep using only sessions. – Maxime Dupré Sep 25 '22 at 19:38
  • 1
    @MaximeDupré I'm not sure about your use case but I would assume you are talking about Firebase storage signed URLs? Yes they will work but do remember anyone that has the URL can use it (so users should not share it ideally). For `updatedCurrentUser` and other methods you can still use Admin SDK, – Dharmaraj Sep 25 '22 at 19:39
  • @MaximeDupré Did you succeed to derive the currentUser in the client from your server session cookie? I am trying to do the same thing as you. – httpete May 28 '23 at 13:01