Persisting authentication state

[WesselKoorn]

Hi!

We want users to stay signed in to our app forever (or at least a very long time) so they don't have to re-authenticate so often, but I'm not sure how to implement this. AFAIK react-native-firebase should refresh the tokens automatically (?), but this is not the case for us. Users have to sign in daily.

This might be similar to #980, although it looks like the state does not persist for any of our users. The state persist fine within a session but the session just expires every hour or so. This is how we implemented the onAuthStateChanged method:

// App.js

  useEffect(() => {
    const unsubscribe = auth().onAuthStateChanged(onAuthStateChanged);

    return () => {
      unsubscribe();
    };
  }, []);

  const onAuthStateChanged = async (firebaseUser) => {
    try {
      if (firebaseUser) {
        const userIdToken = await firebaseUser.getIdToken();
        await dispatch(login(userIdToken));
      }
    } catch (error) {
      crashlytics().recordError(error, 'onAuthStateChanged');
    } finally {
      setFadeLoaderOut(true);
    }
  }

It looks like using refresh tokens will solve our issue since they don't expire, but they're not supported by this library. Is that still a work in progress or is there another way to keep the user signed in?

Thanks! 🔥

[mikehardy]

This is strange, I don't have this issue with my app, using react-native-firebase. The auth tokens are apparently refreshed just fine.

We have noticed issues with other people having tokens cycle unexpectedly, with e.g. react-native-push-notifications and onesignal among other third party libraries.

I encourage you to try it with an otherwise empty project, like from https://github.com/mikehardy/rnfbdemo/blob/master/make-demo.sh and my hypothesis is that you will have stable / continued logins + tokens and not reproduce this.

[WesselKoorn]

@mikehardy Thanks for your fast reply, I'll try out if I can replicate with an empty project running your script. One thing I forgot to mention is that we save the idToken in AsyncStorage and validate that token on our backend every time we make an API call. Could that be causing issues? I would expect that onAuthStateChanged will be fired when the token expires?

[mikehardy]

I'm never sure about project-specific styles. I know I save the token in firebase personally and use it for cloud message addressing, and it works over multi-day spans

[WesselKoorn]

@mikehardy How do you save the token exactly? Do you also roughly know how long you don't have to sign in if everything works correctly (couple days, weeks, months)?

[mikehardy]

I'm not sure exactly how long but definitely weeks, maybe longer? I think it's basically indefinite and I'm sorry I don't have an exact answer it is just that I always testing and eventually that involves a logout / login. I save the token by adding it to a deviceid/token map I store in firestore which is used for messaging later, so it's just a firestore object set and firestore handles it

[WesselKoorn]

I think I found the issue - @mikehardy thanks for your feedback.

We're using the idToken as access token for our own API, and validate that token on the backend with the Firebase Admin SDK. On the frontend we listen to the onAuthStateChanged event to retrieve the user's idToken and save the idToken in AsyncStorage. We get the idToken from AsyncStorage every time we make an API call to our own backend.

For some reason I thought that the onAuthStateChanged event would get triggered when the idToken refreshes, but this is not the case. The RNFB SDK just refreshed the token silently, and you will get the updated token when you call auth().currentUser.getIdToken(). So right now instead of getting the idToken from AsyncStorage before every API call, we just call auth().currentUser.getIdToken().

Hope this makes sense to anyone who's running into a similar issue.