我可以允许用户使用电子邮件和密码登录Firebase。我遵循以下指示:https://firebase.google.com/docs/reference/rest/auth/#section-sign-in-email-password
但是,经过1小时后,验证似乎已过期,我无法再使用我的应用了。有人知道我可以延长那个小时吗?我已阅读多篇有关非常相似问题的文章,但找不到清晰的答案。 IT似乎有人认为有一种方法可以获取重新认证 token 或类似的东西,但仍然没有明确的答案。
最佳答案
Firebase Authentication sessions are long lived. Every time a user signs in, the user credentials are sent to the Firebase Authentication backend and exchanged for a Firebase ID token (a JWT) and refresh token. Firebase ID tokens are short lived and last for an hour; the refresh token can be used to retrieve new ID tokens. Refresh tokens expire only when one of the following occurs:
- The user is deleted
- The user is disabled
- A major account change is detected for the user. This includes events like password or email address updates.
在Web客户端上管理 token
网站客户端代码可以调用User.getIdToken(forceRefresh?: boolean):
Returns the current token if it has not expired. Otherwise, this will refresh the token and return a new one.
每次将 token 发送到服务器时,都需要调用此方法。
或者,可以通过 session cookie管理用户 session 。
Manage Session Cookies
Firebase Auth provides server-side session cookie management for traditional websites that rely on session cookies. This solution has several advantages over client-side short-lived ID tokens, which may require a redirect mechanism each time to update the session cookie on expiration:
- Improved security via JWT-based session tokens that can only be generated using authorized service accounts.
- Stateless session cookies that come with all the benefit of using JWTs for authentication. The session cookie has the same claims (including custom claims) as the ID token, making the same permissions checks enforceable on the session cookies.
- Ability to create session cookies with custom expiration times ranging from 5 minutes to 2 weeks.
- Flexibility to enforce cookie policies based on application requirements: domain, path, secure,
httpOnly
, etc.- Ability to revoke session cookies when token theft is suspected using the existing refresh token revocation API.
- Ability to detect session revocation on major account changes.
关于Firebase身份验证在1小时后过期,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/58167503/