Firebase-js-sdk: Auth User Token still works after logout

signOut() returns a promise which you can monitor for completion.

What exactly is it that still works after signing out? Using the SDK normally surely would not. But without a minimal and complete repro here it's hard to say what you're getting at.

If you're manually managing the Firebase ID token and passing that to a server process or something similar, the token is good until it expires (standard JWT). Since you've gone into DIY territory, it's your job to dispose of it when you want it to stop working, or wait for the expiration.

Note that I'm fairly sure you can manually revoke access from the admin panel, but that's a bit of a different process and probably not what you're looking for here.

arrrg...i was doing a nice detailed reply, when I did a sanity check that it happens in safari too, and not just chrome...once I logged out in safari, I stopped getting the symptom on chrome. D'OH!
(I was using the same login on both browsers). This smells really bad, but I'll leave this on the far back burner until I have the time to sort out the (now more arcane) steps to reproduce the actual problem.

That does seem bad. Looking forward to getting some more repro steps!

@katowulf This happens to me as well in an Emberfire App.

1. I am logged in with more than one browser (Firefox & Chrome on Ubuntu)
2. I logout in one browser
3. The promise firebase.auth().signOut(); completes fine
4. I refresh the App it thinks I am logged in still.

If I logout in ALL browsers I stay logged out after refresh.

There was a small synchronization issue, which should be fixed in the upcoming 4.6.0 release. Though, I think your situation is different. The other issue happened only rarely.

@bojeil-google what happens to ME and to @polyglotinc is the same so are you saying that OUR issue is really a "Multiple Browser signin prevents signout" issue?

I meant, the issue that was solved by the bug I mentioned which was fixed in https://firebase.google.com/support/release-notes/js#4.6.0
Can you check after sign out that localStorage is cleared from the currentUser?

@bojeil-google cc: @polyglotinc

1. I am logged in with more than one browser (Firefox & Chrome on Ubuntu)
2. In Chrome I see it is IN Local Storage
3. I logout in one browser (Chrome)
4. The promise firebase.auth().signOut(); completes fine
5. In Chrome I see it is NO LONGER IN Local Storage
6. I refresh the App it thinks I am logged in still
7. In Chrome I see it is AGAIN IN Local Storage

Hey @brendanoh, can you try testing with the latest version 4.6.0? I tested with Chrome and Firefox in a Linux environment and was not able to reproduce it with that version. I opened multiple windows, signed in in one and then signed out in the same one, refreshed and the user was still signed out.

@bojeil-google

I am on 3.9 now as installed via EmberFire. I will try 4.6.
Also, I am having the issue on localhost but I havent tested on a production domain.

Wow, very broken api, im having the same issues.

Hey @AmitShah can you provide more context on your issue? Is this regarding the user not signing out properly? As I mentioned, there was an edge case issue which we recently fixed. This should no longer be an issue. I am just not sure what exactly you are encountering as I can't replicate the above scenario described by @brendanoh.
The topic title is confusing here. I want to clarify that a token will remain active until the end of its natural lifetime even after sign out. In fact, you can keep a reference to a user and then sign out. The user would still be functional but will stop being persisted as currentUser. This is the expected behavior. If you are having that user persist after sign out, please provide us with a way to replicate it so we can fix it.

Thanks @bojeil-google for a bit of clarification. I didn't realize that a token would still be active until its natural lifetime expiration. So I was seeing my Java verification of ID Token was still passing even after signing out. That works for me. I can simply handle it on the client side. Thank you.

Is there any progress on this issue?

Just to clarify is it expected for the user's auth credentials to persist in local storage after logout? and is it the client side job to removed credentials from local storage?

Thanks,

Should this issue be closed it looks like firebase has switched from local storage to IndexDb.
This issue looks more current https://github.com/firebase/firebase-js-sdk/issues/449

For anyone looking for clean-_ish_ workaround, you can append a query string param right before redirecting the user away using signInWithRedirect. Current page query params will be picked up by signInWithRedirect and will be carried back by the flow. Then, after user is redirected back, just check for presence of the parameter. If the query param is absent on page load, clearly the user did not come back from redirect flow and you can skip calling getRedirectResult entirely, thus avoiding the whole issue.

In addition however, I would expect sign out to be able to purge all user data from the browser, even if as optional API.

I was facing similar issue. Below is the link which provides workaround,

https://groups.google.com/forum/#!topic/firebase-talk/gxBm0WKCuIY

For internally tracking the clarification/update to the docs, b/156547460