Skip to content

Revoke tokens and verify check revoked snippets #21

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 14 commits into from
Feb 13, 2018
Merged

Revoke tokens and verify check revoked snippets #21

Changes from 7 commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
43caa63
baseline
avishalom Feb 7, 2018
47f5723
java_snippets
avishalom Feb 7, 2018
adf2493
snippets
avishalom Feb 7, 2018
078964f
revoke and update db
avishalom Feb 7, 2018
470229c
comments
avishalom Feb 7, 2018
fe82eb8
cleanup
avishalom Feb 7, 2018
1a09004
revert function signature
avishalom Feb 7, 2018
b933b4f
split backend revocation
avishalom Feb 9, 2018
21fcb79
fixed
avishalom Feb 9, 2018
2bf4fd8
comment
avishalom Feb 9, 2018
61751dd
comment
avishalom Feb 10, 2018
77322df
comment
avishalom Feb 10, 2018
53e9d97
version
avishalom Feb 12, 2018
614e4de
string equals, concatenation, comment
avishalom Feb 12, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions auth/src/main/java/com/google/firebase/quickstart/AuthSnippets.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -207,6 +207,42 @@ public static void verifyIdToken(String idToken) throws InterruptedException, Ex
System.out.println("Decoded ID token from user: " + uid);
}

public static void verifyIdTokenCheckRevoked(String idToken) throws InterruptedException, ExecutionException {
// [START verify_id_token_check_revoked]
try {
// Verify the ID token while checking if the token is revoked by passing checkRevoked
// as true.
FirebaseToken decodedToken = FirebaseAuth.getInstance().verifyIdTokenAsync(idToken, true).get();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change this as follows for clarity:

boolean checkRevoked = true;
FirebaseToken decodedToken = FirebaseAuth.getInstance().verifyIdTokenAsync(idToken, checkRevoked).get();

String uid = decodedToken.getUid();
}
catch (FirebaseAuthException e) {
if (FirebaseUserManager.ID_TOKEN_REVOKED_ERROR == e.getErrorCode()) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this really visible in the public API?

// Token is valid but has been revoked.
// When this occurs, inform the user to reauthenticate or signOut() the user.
} else {
// Error is other than "revoked" token is invalid.
}
}
// [END verify_id_token_check_revoked]
System.out.println("Decoded ID token from user: " + uid);
}

public static void revokeIdTokens(String idToken) throws InterruptedException, ExecutionException {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like an equivalent version of a Functions sample we have in docs. If so, it might not be useful at this point.

String uid="someUid";
// [START revoke_tokens]
FirebaseToken decodedToken = FirebaseAuth.getInstance().revokeRefreshTokens(uid).get();
UserRecord user = FirebaseAuth.getInstance().getUserAsync(uid).get();
// Convert to seconds as the auth_time in the token claims is in seconds too.
long revocationSecond = user.getTokensValidAfterTimestamp() / 1000;

// Save the refresh token revocation timestamp. This is needed to track ID token
// revocation via Firebase rules.
DatabaseReference ref = FirebaseDatabase.getInstance().getReference("metadata/" + uid);
ref.setValueAsync(MapBuilder.of("revokeTime", revocationSecond));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add .get() at the end to block?

// [END revoke_tokens]
System.out.println("Decoded ID token from user: " + uid);
}

public static void main(String[] args) throws InterruptedException, ExecutionException {
System.out.println("Hello, AuthSnippets!");

Expand Down