Firebase auth expires after 1 hr

Question

I am able to allow users to log in to Firebase using email and password. I followed these instructions: https://firebase.google.com/docs/reference/rest/auth/#section-sign-in-email-password

However, after 1 hr it seems the auth expires and I can't use my app anymore. Does anybody know how I can extend that hour? I have read MULTIPLE posts with very similar questions, but I can't find a clear answer. IT seems some people think there is a way to obtain a reauth token or something like that, but still no clear answer.

Answer 1

Manage User Sessions

Firebase Authentication sessions are long lived. Every time a user signs in, the user credentials are sent to the Firebase Authentication backend and exchanged for a Firebase ID token (a JWT) and refresh token. Firebase ID tokens are short lived and last for an hour; the refresh token can be used to retrieve new ID tokens. Refresh tokens expire only when one of the following occurs:

• The user is deleted
• The user is disabled
• A major account change is detected for the user. This includes events like password or email address updates.

Manage Tokens on Web Client

The website client code can call User.getIdToken(forceRefresh?: boolean):

Returns the current token if it has not expired. Otherwise, this will refresh the token and return a new one.

This would need to be called each time a token is sent to the server.

---

Alternatively, user sessions may be managed via session cookies.

Manage Session Cookies

Firebase Auth provides server-side session cookie management for traditional websites that rely on session cookies. This solution has several advantages over client-side short-lived ID tokens, which may require a redirect mechanism each time to update the session cookie on expiration:

• Improved security via JWT-based session tokens that can only be generated using authorized service accounts.
• Stateless session cookies that come with all the benefit of using JWTs for authentication. The session cookie has the same claims (including custom claims) as the ID token, making the same permissions checks enforceable on the session cookies.
• Ability to create session cookies with custom expiration times ranging from 5 minutes to 2 weeks.
• Flexibility to enforce cookie policies based on application requirements: domain, path, secure, httpOnly, etc.
• Ability to revoke session cookies when token theft is suspected using the existing refresh token revocation API.
  • Ability to detect session revocation on major account changes.