Implementing Firebase Auth Session Durations
Logging Firebase users out after a set period of time.
Some apps, such as banking websites and other data-sensitive applications, force users to re-authenticate after a set period of time. However, the Firebase client SDKs do not have built-in support for such situations. Instead, user sessions generated via Firebase Authentication are indefinite, only ending due to one of the following situations:
- The user is explicitly signed out via the client-side SDK.
- The user is disabled.
- The user is deleted.
- A major account change is detected, such as an update to the user’s password or email address.
- The user’s refresh token is revoked via the Firebase Admin SDK.
Although there is no API to specify the duration of Firebase Authentication sessions, there are two methods to enforce such a restriction using a combination of Security Rules and a few lines of client-side logic.
Enforcing Session Duration Using A Custom Claim
The first method involves creating a custom token with a custom claim specifying when the user session expires. Here is the some code which uses the Admin Node.js SDK to create a custom token with a custom expiresAt claim indicating when, in milliseconds, the user session expires:
The expiresAt custom claim does nothing out-of-the-box. Firebase Authentication does not recognize the name and we could call it whatever we wanted (that is, as long as it is not one of the reserved claims). It does however show up in Security Rules as auth.token.expiresAt, which we can use to craft a Security Rule enforcing that data is only available to non-expired sessions:
Realtime Database Security Rules:
Firestore / Cloud Storage for Firebase Security Rules:
Enforcing Session Duration Using The auth_time Claim
One major downside of the above method is that it requires you to generate your own custom tokens and therefore does not work with the built-in phone number, email / password, and OAuth auth providers. Thankfully, there is another way to implement session duration which makes use of auth_time, a built-in claim available in ID tokens which represents when the user first authenticated to the client SDK. Note that this value is in seconds, not milliseconds, and that it is very different the other built-in iat (issued-at time) claim.
As discussed in Demystifying Firebase Auth Tokens, the Firebase client SDKs generate new, short-lived ID tokens every hour. These ID token refreshes update the value of the iat claim (representing the time that specific ID token was issued), but not the value of the auth_time claim (representing the time when the very first ID token was generated).
We can make use of the auth_time claim in Security Rules, again writing rules which ensure the current request is made before a session expires.
Realtime Database Security Rules:
Firestore / Cloud Storage for Firebase Security Rules:
The downside of this method compared to the first one is that the Security Rules are a bit more complex. This can be somewhat abstracted away in the case of Firestore and Cloud Storage for Firebase Security Rules by encapsulating the logic in a re-usable function:
Logging Users Out On the Client
Adding Security Rules properly limits the client’s access to data, but it does not actually end the session on the client. The Firebase client SDKs do not know anything about our session expiration rules and the user remains logged in. In order to end the session, we need to explicitly sign the user out. A logical place to do this is within our auth state changes subscription.
Every time a user is logged in, we can use the auth_time claim from the current ID token to establish a timeout which signs out the user when the session has ended. Here is an example implementation using the Firebase web client SDK:
Conclusion
Although the Firebase client SDKs do not have built-in support for session durations, we can implement them ourselves using a combination of Security Rules and a few lines of client-side logic.
If you would like to get notified when I produce more content like this and stay updated on what I am working on, join my mailing list.
