我正在将node.js应用程序迁移到Firebase v3。
在v2中,我使用FirebaseTokenGenerator生成自定义令牌。它需要一个apiToken,这与Firebase v3在节点中的工作方式不一致,我看到firebase.auth服务现在有一个'createCustomToken'方法,所以我假设我现在应该使用它。
问题是这个方法似乎只接受'uid'和'developerClaims'作为参数,其中FirebaseTokenGenerator也接受了一个包含'expires'属性的选项对象。
有没有办法让'createCustomToken'生成的令牌有效期?
答案 0 :(得分:1)
<强>更新
参考:https://groups.google.com/forum/#!topic/firebase-talk/Ezy3RDNNRAs
一旦他们使用自定义令牌登录,Firebase就会交换ID 令牌很长并且会自动刷新。你不需要 在每个请求上创建一个新的自定义标记。您可以验证Firebase Id令牌使用后端服务器库,只要它是 有效,您不必再次登录用户。
因此看起来生成的令牌是临时的,用于通过
检索id令牌(内部)FIRAuth.auth()?.signInWithCustomToken(customToken)
从那时起,客户应该是好的。
使用Firebase 3.0.4当前编号
从nodejs模块源代码看起来jwt expiresIn设置为1小时。这对于移动应用用户来说是不可接受的(只要他们登录他们的密钥应该没问题)。希望这是固定的,因为它阻止我们升级我们的sdk
FirebaseTokenGenerator.prototype.createCustomToken = function(uid, developerClaims) {
if (typeof uid !== 'string' || uid === '') {
throw new Error('First argument to createCustomToken() must be a non-empty string uid');
} else if (uid.length > 128) {
throw new Error('First argument to createCustomToken() must a uid with less than or equal to 128 characters');
} else if (typeof developerClaims !== 'undefined' && (typeof developerClaims !== 'object' || developerClaims === null || developerClaims instanceof Array)) {
throw new Error('Optional second argument to createCustomToken() must be an object containing the developer claims');
}
var jwtPayload = {};
if (typeof developerClaims !== 'undefined') {
jwtPayload.claims = {};
for (var key in developerClaims) {
/* istanbul ignore else */
if (developerClaims.hasOwnProperty(key)) {
if (BLACKLISTED_CLAIMS.indexOf(key) !== -1) {
throw new Error('Developer claim "' + key + '" is reserved and cannot be specified');
}
jwtPayload.claims[key] = developerClaims[key];
}
}
}
jwtPayload.uid = uid;
return jwt.sign(jwtPayload, this.serviceAccount.private_key, {
audience: FIREBASE_AUDIENCE,
expiresIn: ONE_HOUR_IN_SECONDS,
issuer: this.serviceAccount.client_email,
subject: this.serviceAccount.client_email,
algorithm: ALGORITHM
});
};
由于此评论,更新以下内容将无效 “exp令牌到期的时间,以秒为单位。它可以比iat晚3600秒。” Firebase令牌最长有效期为1小时。
解决方案似乎正在生成我们自己的令牌
Use a JWT library
You can create a custom token suitable for authenticating with Firebase by using any JWT creation library. Create a JWT that includes the following claims and is signed using RS256.
JWT claims
iss Your project's service account email address
sub Your project's service account email address
aud https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit
iat The current time, in seconds
exp The time, in seconds, at which the token expires. It can be at a maximum 3600 seconds later than iat.
uid The unique identifier of the signed-in user (must be a string, between 1-36 characters long)
claims (optional) Custom claims to include in the Security Rules auth variable.
应满足上述标准的令牌生成功能的示例:
var ALGORITHM = 'RS256';
// List of blacklisted claims which cannot be provided when creating a custom token
var BLACKLISTED_CLAIMS = [
'acr', 'amr', 'at_hash', 'aud', 'auth_time', 'azp', 'cnf', 'c_hash', 'exp', 'iat', 'iss', 'jti',
'nbf', 'nonce'
];
var FIREBASE_AUDIENCE = 'https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit';
function generateFirebaseToken(serviceAccount, uid, expiresIn, developerClaims) {
var jwtPayload = {};
if (typeof developerClaims !== 'undefined') {
jwtPayload.claims = {};
for (var key in developerClaims) {
if (developerClaims.hasOwnProperty(key)) {
if (BLACKLISTED_CLAIMS.indexOf(key) !== -1) {
throw new Error('Developer claim "' + key + '" is reserved and cannot be specified');
}
jwtPayload.claims[key] = developerClaims[key];
}
}
}
jwtPayload.uid = uid;
return jwt.sign(jwtPayload, serviceAccount.private_key, {
audience: FIREBASE_AUDIENCE,
expiresIn: expiresIn,
issuer: serviceAccount.client_email,
subject: serviceAccount.client_email,
algorithm: ALGORITHM
});
}