Logging Firebase users out after a set period of time.
Some apps, such as banking websites and other data-sensitive applications, force users to re-authenticate after a set period of time. However, the Firebase client SDKs do not have built-in support for such situations. Instead, user sessions generated via Firebase Authentication are indefinite, only ending due to one of the following situations:
- The user is explicitly signed out via the client-side SDK.
- The user is disabled.
- The user is deleted.
- A major account change is detected, such as an update to the user’s password or email address.
- The user’s refresh token is revoked via the Firebase Admin SDK.
Although there is no API to specify the duration of Firebase Authentication sessions, there are two methods to enforce such a restriction using a combination of Security Rules and a few lines of client-side logic. …
An overview of the Firebase client SDK authentication model.
I am a former member of the Firebase team, joining before the Google-owned days when Firebase was still a small startup. I no longer work at Google, but I still use Firebase for many projects. Join my mailing list to stay updated on my writing.
As part of expanding to become a unified app platform during Google I/O in May 2016, Firebase ushered in a new set of SDKs. With those new SDKs came a new authentication model which still exists today. Information about the authentication model can be found scattered throughout the official Firebase docs, but there is no good overview on the topic. …
About
