How to revoke an authentication token?

Firebase now offers the ability to revoke refresh tokens, it's quite fresh - added 04/01/2018. https://firebase.google.com/docs/auth/admin/manage-sessions#revoke_refresh_tokens

You can't really revoke that specific token (outside of invalidating the secret that generated the token, but that will invalidate all other tokens issued by that secret too - probably not what you want).

You can, however, rely on some information that's specific to the token (perhaps you included a unique user ID as data in the token) and update your security rules to reject any operations that match that value.

Adding to @Alex Redwood's answer

This is the important part:

return admin.auth().revokeRefreshTokens(uid)
    .then(() => {
      // Get user's tokensValidAfterTime.
      return admin.auth().getUser(uid);
    })

The example in the documentation has all kinds of nuanced cases, like writing a timestamp to the database to prevent reads until the current token expires, very implementation specific cases. The important part is you call revokeRefreshTokens(uid) on the correct uid, and verify the userRecord has modified the userRecord.tokensValidAfterTime value. This will not expire your active tokens. So it is valuable to have short expiry times to shorten the attack window (A better solution than a database rule that checks a timestamp in my opinion).

From: https://firebase.google.com/docs/auth/admin/manage-sessions#revoke_refresh_tokens

How to revoke an authentication token?

Tags:

Firebase

Firebase Security

Related

Recent Posts