问题
Say I generated an authentication token, and to save on processing and remote calls, I've set it's expiration data some 30 days in the future.
Now I want to remove this account from my system, is there a way to revoke the authentication token I have given the client?
I don't think that's possible currently, and I can certainly work around that (by not having such high expiration times mostly), but I just wanted to make sure I didn't miss something in the docs.
回答1:
You can't really revoke that specific token (outside of invalidating the secret that generated the token, but that will invalidate all other tokens issued by that secret too - probably not what you want).
You can, however, rely on some information that's specific to the token (perhaps you included a unique user ID as data in the token) and update your security rules to reject any operations that match that value.
回答2:
Firebase now offers the ability to revoke refresh tokens, it's quite fresh - added 04/01/2018. https://firebase.google.com/docs/auth/admin/manage-sessions#revoke_refresh_tokens
回答3:
Adding to @Alex Redwood's answer
This is the important part:
return admin.auth().revokeRefreshTokens(uid)`
.then(() => {
// Get user's tokensValidAfterTime.
Return admin.auth().getUser(uid);
})
The example in the documentation has all kinds of nuanced cases, like writing a timestamp to the database to prevent reads until the current token expires, very implementation specific cases. The important part is you call revokeRefreshTokens(uid) on the correct uid, and verify the userRecord has modified the userRecord.tokensValidAfterTime value. This will not expire your active tokens. So it is valuable to have short expiry times to shorten the attack window (A better solution than a database rule that checks a timestamp in my opinion).
From: https://firebase.google.com/docs/auth/admin/manage-sessions#revoke_refresh_tokens
来源:https://stackoverflow.com/questions/21560336/how-to-revoke-an-authentication-token