New token for every page refresh?

[andrewli-ca]

Hi there,

I'm just wondering is it the expected behavior for a new token to be returned each time a page is refreshed?

export const getServerSideProps = withAuthUserTokenSSR({
  whenUnauthed: AuthAction.REDIRECT_TO_LOGIN,
})(async ({ AuthUser, req }) => {
  const token = await AuthUser.getIdToken()
  console.log(token) // New token each request

  return {
    props: { },
  }
})

export default withAuthUser({
  whenUnauthedAfterInit: AuthAction.REDIRECT_TO_LOGIN,
})(Demo)

[kmjennison]

Yes, it's expected. The auth cookies are set whenever the Firebase client's ID token changes, which is typically at least once per app load. When that happens, the "issued at" and "expiration" timestamps change in the token, and so the next withAuthUserTokenSSR will see a new token.

[andrewli-ca]

Thanks for the quick response!

A follow up question, why is the token staying consistent across page refreshes on the client?

const Demo = ({ favoriteColor }) => {
  const AuthUser = useAuthUser()

  useEffect(() => {
    AuthUser.getIdToken().then((token) => console.log(token)) // token stays consistent across page refresh
  })

  return (
    <div>
      <Header email={AuthUser.email} signOut={AuthUser.signOut} />
    </div>
  )
}

[kmjennison]

Great question. When you call setAuthCookies, it recreates a token each time. There's no logic around not creating a new ID token when the existing one is still valid and won't expire soon. The Firebase JS SDK, on the other hand, will refresh the ID token only when it's close to expiring (probably every ~50 minutes, but I'm not sure exactly how frequently this happens).

[andrewli-ca]

Thanks for the explanations. Much appreciated!