Auth cookie persistence by jamesdaniels · Pull Request #8839 · firebase/firebase-js-sdk

jamesdaniels · 2025-03-10T04:41:55Z

go/firebase-auth-cookie-persistence, pair with this NextJS middleware.

Demo here—login restricted to @google.com Google accounts.

go/firebase-cookie-auth-bug-bash for bug bash instructions / feedback.

Principles of operation:

New persistence option COOKIE
When persistence is cookie, sign-in and token refresh requests are proxied to /__cookie__, which is handled by the NextJS middleware. The middleware this redacts the refreshToken and stores it in an HTTP-only cookie, the idToken is stored in an JS-readable cookie
getCurrentUser() internally can accept an idToken and will initiated a fetch request to get the user-details
The NextJS middleware can itself freshen the idToken, if it's expired on a full-page load
During logout the client will set the JS-readable cookie to "" and will make a best-effort attempt to hit /__cookie__, the middleware treats the blank string as a logout and will delete the refreshToken cookie if seen

There's a lot to clean up here, some high level things that need to be addressed

Types
Fix tests
The cookie persistence class depends on cookieStore, we need to fall back to navigator.cookie
Need to test with other sign in methods
Sanitize the cookie names
Use sentinel value for logout
Confirm functionality in other UAs
Double check this functions correctly with diff tenants

changeset-bot · 2025-03-10T04:41:58Z

🦋 Changeset detected

Latest commit: 1e50af6

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages

Name	Type
firebase	Minor
@firebase/auth	Minor
@firebase/auth-compat	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

packages/auth/src/api/index.ts

packages/auth/src/core/user/user_credential_impl.ts

packages/auth/src/model/user.ts

packages/auth/src/platform_browser/persistence/cookie_storage.ts

packages/rules-unit-testing/api-extractor.json

packages/auth/src/api/index.ts

packages/auth/src/core/persistence/persistence_user_manager.ts

packages/auth/src/core/auth/auth_impl.ts

packages/auth/src/platform_browser/persistence/cookie_storage.ts

packages/auth/src/api/index.ts

jamesdaniels · 2025-03-13T15:10:18Z

packages/auth/package.json

    "@rollup/plugin-strip": "2.1.0",
    "@types/express": "4.17.21",
    "chromedriver": "119.0.1",
+    "cookie-store": "4.0.0-next.4",


FYI using this dev-dep for types, somewhere else I tried this ponyfill and found it unsuitable for prod as it can't be webpacked.

packages/auth/src/platform_browser/persistence/cookie_storage.ts

packages/auth/src/api/index.ts

packages/auth/src/platform_browser/persistence/cookie_storage.ts

common/api-review/auth.api.md

google-oss-bot · 2025-03-25T21:11:14Z

Size Report ¹

Affected Products

`@firebase/auth`

Type	Base (`dcc62c0`)	Merge (01c5d15)	Diff
browser	189 kB	193 kB	+3.96 kB (+2.1%)
cordova	164 kB	166 kB	+1.29 kB (+0.8%)
main	146 kB	147 kB	+1.52 kB (+1.0%)
module	189 kB	193 kB	+3.96 kB (+2.1%)
react-native	164 kB	165 kB	+1.29 kB (+0.8%)

@firebase/auth-compat
Type Base (dcc62c0) Merge (01c5d15) Diff
browser 20.2 kB 20.2 kB +4 B (+0.0%)
main 22.4 kB 22.4 kB +4 B (+0.0%)
module 20.2 kB 20.2 kB +4 B (+0.0%)
@firebase/auth-cordova
Type Base (dcc62c0) Merge (01c5d15) Diff
browser 164 kB 166 kB +1.29 kB (+0.8%)
module 164 kB 166 kB +1.29 kB (+0.8%)
@firebase/auth-web-extension
Type Base (dcc62c0) Merge (01c5d15) Diff
browser 141 kB 142 kB +1.29 kB (+0.9%)
main 158 kB 159 kB +1.29 kB (+0.8%)
module 141 kB 142 kB +1.29 kB (+0.9%)
@firebase/auth/internal
Type Base (dcc62c0) Merge (01c5d15) Diff
browser 200 kB 204 kB +3.96 kB (+2.0%)
main 172 kB 173 kB +1.53 kB (+0.9%)
module 200 kB 204 kB +3.96 kB (+2.0%)

`bundle`

Type	Base (`dcc62c0`)	Merge (01c5d15)	Diff
auth (Anonymous)	76.7 kB	77.7 kB	+997 B (+1.3%)
auth (EmailAndPassword)	86.8 kB	87.8 kB	+997 B (+1.1%)
auth (GoogleFBTwitterGitHubPopup)	104 kB	105 kB	+997 B (+1.0%)
auth (GooglePopup)	101 kB	102 kB	+997 B (+1.0%)
auth (GoogleRedirect)	101 kB	102 kB	+997 B (+1.0%)
auth (Phone)	94.2 kB	95.2 kB	+997 B (+1.1%)

`firebase`

Type	Base (`dcc62c0`)	Merge (01c5d15)	Diff
firebase-auth-compat.js	140 kB	141 kB	+893 B (+0.6%)
firebase-auth-cordova.js	137 kB	138 kB	+973 B (+0.7%)
firebase-auth-web-extension.js	119 kB	120 kB	+973 B (+0.8%)
firebase-auth.js	155 kB	158 kB	+2.96 kB (+1.9%)
firebase-compat.js	793 kB	794 kB	+895 B (+0.1%)

Test Logs

https://storage.googleapis.com/firebase-sdk-metric-reports/yzioDUGmst.html

google-oss-bot · 2025-03-25T21:23:21Z

Size Analysis Report ¹

This report is too large (139,584 characters) to be displayed here in a GitHub comment. Please use the below link to see the full report on Google Cloud Storage.

Test Logs

https://storage.googleapis.com/firebase-sdk-metric-reports/lye9reBjpy.html

jamesdaniels · 2025-03-26T15:24:40Z

@sam-gc @DellaBitta @hsubox76 PTAL at the latest iteration, cleaned up a lot. I'll be adding comments, fixing the test I broke with the function rename, and addressing my last few TODOs in the next change-set.

.changeset/orange-turtles-taste.md

packages/auth/src/model/public_types.ts

packages/auth/src/core/persistence/persistence_user_manager.ts

jamesdaniels · 2025-03-27T19:02:57Z

packages/auth/src/core/auth/auth_impl.ts

+    // persistenceMananger to be available. see _getFinalTarget for more context
+    this._persistenceManagerAvailable = new Promise<void>(
+      resolve => (this._resolvePersistenceManagerAvailable = resolve)
+    );


Can i haz Promise.withResolvers yet? 🤣

egilmorez

LG, just a tiny nit!

packages/auth/src/platform_browser/persistence/cookie_storage.ts

jamesdaniels added 3 commits February 25, 2025 11:39

First.

d3792b5

Merge branch 'main' into jamesdaniels_authCookiePersistence

00b0059

First.

aba574a

Sentinal as ""

8acd061

jamesdaniels commented Mar 10, 2025

View reviewed changes

packages/auth/src/api/index.ts Outdated Show resolved Hide resolved

jamesdaniels commented Mar 10, 2025

View reviewed changes

packages/auth/src/core/user/user_credential_impl.ts Outdated Show resolved Hide resolved

jamesdaniels commented Mar 10, 2025

View reviewed changes

packages/auth/src/model/user.ts Outdated Show resolved Hide resolved

DellaBitta reviewed Mar 10, 2025

View reviewed changes

jamesdaniels commented Mar 10, 2025

View reviewed changes

packages/auth/src/core/auth/auth_impl.ts Outdated Show resolved Hide resolved

hsubox76 reviewed Mar 12, 2025

View reviewed changes

packages/auth/src/platform_browser/persistence/cookie_storage.ts Outdated Show resolved Hide resolved

hsubox76 reviewed Mar 12, 2025

View reviewed changes

packages/auth/src/api/index.ts Outdated Show resolved Hide resolved

Cleanup and add cookieStore fallback

a727dce

jamesdaniels commented Mar 13, 2025

View reviewed changes

jamesdaniels commented Mar 25, 2025

View reviewed changes

packages/auth/src/platform_browser/persistence/cookie_storage.ts Show resolved Hide resolved

Cleanup unsubscribes

769624f

sam-gc reviewed Mar 25, 2025

View reviewed changes

packages/auth/src/api/index.ts Outdated Show resolved Hide resolved

packages/auth/src/platform_browser/persistence/cookie_storage.ts Outdated Show resolved Hide resolved

jamesdaniels added 3 commits March 25, 2025 16:41

Cleanup and add docs

31cb8b0

Cleanup and add docs

0bef1eb

Changeset

efdafc5

jamesdaniels commented Mar 25, 2025

View reviewed changes

common/api-review/auth.api.md Outdated Show resolved Hide resolved

This comment was marked as resolved.

Sign in to view

jamesdaniels added 3 commits March 25, 2025 16:57

Beta tag

da747d7

Merge branch 'main' into jamesdaniels_authCookiePersistence

27c203a

Remove unneeded changes

7f850fc

jamesdaniels marked this pull request as ready for review March 25, 2025 21:04

jamesdaniels requested review from a team as code owners March 25, 2025 21:04

jamesdaniels added 6 commits March 25, 2025 19:47

Address feedback, cleanup endpoint check

f587178

Formatting

5568a01

Cleanup

0ac4cad

Tweak wording for doc

d278dcf

Code format COOKIE

fc1ce03

Formatting

6acbb6a

jamesdaniels requested review from DellaBitta, hsubox76 and sam-gc March 26, 2025 15:20

DellaBitta requested changes Mar 26, 2025

View reviewed changes

.changeset/orange-turtles-taste.md Outdated Show resolved Hide resolved

packages/auth/src/model/public_types.ts Outdated Show resolved Hide resolved

packages/auth/src/core/persistence/persistence_user_manager.ts Show resolved Hide resolved

jamesdaniels added 5 commits March 27, 2025 08:10

Cleanup

8f97100

Formatting

3291f23

Update docs

0fb3804

Fix test

bdeeead

Comments!

5a913c9

jamesdaniels requested a review from DellaBitta March 27, 2025 12:33

Fix for the auth race condition

d3fa466

jamesdaniels commented Mar 27, 2025

View reviewed changes

egilmorez approved these changes Mar 27, 2025

View reviewed changes

packages/auth/src/platform_browser/persistence/cookie_storage.ts Outdated Show resolved Hide resolved

hsubox76 approved these changes Mar 27, 2025

View reviewed changes

jamesdaniels added 2 commits March 27, 2025 16:59

Address erics feedback

680583e

Forgot to commit the actual source file

1e50af6

DellaBitta approved these changes Mar 27, 2025

View reviewed changes

jamesdaniels merged commit fb5d422 into main Mar 27, 2025
46 of 48 checks passed

jamesdaniels deleted the jamesdaniels_authCookiePersistence branch March 27, 2025 21:54

google-oss-bot mentioned this pull request Mar 27, 2025

Version Packages #8878

Merged

firebase locked and limited conversation to collaborators Apr 27, 2025

Conversation

jamesdaniels commented Mar 10, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

changeset-bot bot commented Mar 10, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🦋 Changeset detected

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

jamesdaniels Mar 13, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

This comment was marked as resolved.

google-oss-bot commented Mar 25, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Size Report 1

Affected Products

@firebase/auth

@firebase/auth-compat

@firebase/auth-cordova

@firebase/auth-web-extension

@firebase/auth/internal

bundle

firebase

Test Logs

Uh oh!

google-oss-bot commented Mar 25, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Size Analysis Report 1

Test Logs

Uh oh!

jamesdaniels commented Mar 26, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

jamesdaniels Mar 27, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

egilmorez left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

jamesdaniels commented Mar 10, 2025 •

edited

Loading

changeset-bot bot commented Mar 10, 2025 •

edited

Loading

google-oss-bot commented Mar 25, 2025 •

edited

Loading

Size Report ¹

`@firebase/auth`

`@firebase/auth-compat`

`@firebase/auth-cordova`

`@firebase/auth-web-extension`

`@firebase/auth/internal`

`bundle`

`firebase`

google-oss-bot commented Mar 25, 2025 •

edited

Loading

Size Analysis Report ¹

jamesdaniels Mar 27, 2025 •

edited

Loading