Managing the user session

Manage the session for the user and give the prompt to reauthenticate, because every time when the user logged in, user credentials are sent to the Firebase Authentication backend and exchanged for a Firebase ID token (a JWT) and refresh token.

These are the common scenarios where we need to manage the session of the user:

  • User is deleted
  • User is disabled
  • Email address and password changed

The Firebase Admin SDK also gives the ability to revoke the specific user session using the revokeRefreshToken() method. It revokes active refresh tokens of a given user. If we reset the password, Firebase Authentication backend automatically revokes the user token.

The following rule must be configured when any data requires authentication to access:

{
 "rules": {
 "users": {
 "$user_id": {
 ".read": "$user_id === auth.uid && auth.token.auth_time > (root.child('metadata').child(auth.uid).child('revokeTime').val() || 0)",
 ".write": "$user_id === auth.uid && auth.token.auth_time > (root.child('metadata').child(auth.uid).child('revokeTime').val() || 0)"
 }
 }
 }
}
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset