Firebase token refresh expiration
While testing the security of one of our products, a web application that uses the Firebase REST API, we were surprised to realize that refresh tokens never expire in the V3 implementation of Firebase, allowing any refresh token to create new tokens forever .
While local storage appears to be a reasonably secure solution today, we are concerned that it might fail tomorrow even for a short amount of time and that we cannot prevent anyone from using any of these refresh tokens.
Two-factor authentication will help mitigate the problem, but the first step will be compromised nonetheless.
Is there a way to use blacklisted tokens or similar behavior with Firebase without handling all token exchanges like chasing themselves? We could not find such a function when viewing the document.
Any advice is appreciated.
source to share
Firebase recently implemented revokeRefreshTokens()
inside the admin sdk. While this will prevent you from killing an invalid JWT, it does allow you to prevent the token from being updated (at least from my testing) and it allows you to clear the control flow inside the firebase database.
source to share
Authentication sessions do not end when logging into Firebase. But the ID token needs to be updated hourly to be able to access the services. If you disable the account, the token update will fail and the account will no longer be able to access services. It is not possible to revoke individual tokens.
source to share