Differentiating between invalid and expired tokens when verifying #179
Comments
|
Hmmm this issue does not seem to follow the issue template. Make sure you provide all the required information. |
|
Sounds reasonable to me. @bojeil-google what do you think? Shall we introduce a new |
|
In general, I think it is a good idea but I think this could be a breaking change. Developers may be expecting the current error code for both. If we add a new error code, they would basically miss it (they won't be catching it). I suggest we keep this until the next major version bump. |
|
While waiting for the next major version bump would it be possible as per my second suggestion to surface the original |
|
It's going to be hard to justify an API change that will become unnecessary a few months later. What if we modify the error message ( |
|
How about |
|
Yes, that sounds reasonable. @simenbrekken would you be able to give us a patch? |
|
Certainly. I'll have a patch ready this weekend. |
|
Is this change still on roadmap? I see major release is out and this issue is closed but |
|
It's still on roadmap. Just haven't gotten around to it yet. |
Environment
Description
There's currently no robust way to detect if an id token is invalid or has expired when performing verification via
auth().verifyIdTokenother than checking if the actualerror.messagecontains the string "expired".The
verifyIdTokenimplementation oftoken-generatorcorrectly detects expired tokens by checking forerror.name === 'TokenExpiredError'but this error code is discarded as it's rejected as anFirebaseAuthErrorwith theAuthClientErrorCode.INVALID_ARGUMENTerror code.Would it be possible to to add something like
AuthClientErrorCode.TOKEN_EXPIREDor expose the originalerror.nameaserror.errorInfo.name?I'd be glad to contribute a PR for any of the above propsals.
The text was updated successfully, but these errors were encountered: