CODEWITHSUNDEEP
javascriptfirebasefirebase-authenticationfirebase-admin
temporary_user_name
temporary_user_name

Reputation: 37068

Why would you want to sign out after creating a session in Firebase?

I'm looking at the Firebase auth docs here and specifically this code example for the client-side code for creating a session:

firebase.auth().signInWithEmailAndPassword('[email protected]', 'password').then(user => {
  // Get the user's ID token as it is needed to exchange for a session cookie.
  return user.getIdToken().then(idToken = > {
    // Session login endpoint is queried and the session cookie is set.
    // CSRF protection should be taken into account.
    // ...
    const csrfToken = getCookie('csrfToken')
    return postIdTokenToSessionLogin('/sessionLogin', idToken, csrfToken);
  });
}).then(() => {
  // A page redirect would suffice as the persistence is set to NONE.
  return firebase.auth().signOut();
}).then(() => {
  window.location.assign('/profile');
});

The first section there makes sense-- sign in and create a session. But then the middle then calls signOut -- what? Why would you want to do that? There is a comment preceding this code in the docs that reads:

On success, the state should be cleared from the client side storage.

Unclear if that comment is referring to the signOut call. Not really sure why you would do that, either way....then firebase thinks the user is signed out, but your server has an active session for that user.

Could anyone shed any insight on this?

Upvotes: 0

Views: 199

Answers (1)

Doug Stevenson
Doug Stevenson

Reputation: 317487

There is a line of code from that sample that's important for context:

// As httpOnly cookies are to be used, do not persist any state client side.
firebase.auth().setPersistence(firebase.auth.Auth.Persistence.NONE);

With persistence disabled, there is no saved sign-in state. When the page reloads, redirects, or somehow navigates away, the user is effectively signed out, because their token isn't remembered. The point of the entire sample is to show how to put that token into a cookie, which will be persisted as cookies normally are, and also sent to the server on future requests and can be verified with the Firebase Admin SDK. If this is not what you're trying to do, then this page of documentation isn't relevant.

The signOut that happens in later is merely ceremonial. As the comment above it says:

A page redirect would suffice as the persistence is set to NONE.

Signing out would be an explicit note to the reader of the code that the idea is to use the token stored in the cookie, not in Firebase Auth's own persistence (which, again, was disabled above).

Upvotes: 1

Related Questions