I'm validating the user's account if he is allowed to sign in.
When he isn't allowed, he will be signed out with:
gapi.auth2.getAuthInstance().signOut()
The problem is when he presses the sign in button again, the account chooser won't appear.
It just uses the old cached account and he will be immediately signed out again.
How can I delete the cookies, in order to show the account chooser again?
Haven't confirmed yet, but you might want to revoke the access instead of signOut().
https://developers.google.com/identity/sign-in/web/disconnect
Related
i want to make login system, and check if user is multiple login and give notification " account already login in other device" in current user login. how to make system like that? I've searched for it on google but couldn't find the right one
check if user is multiple login and give notification " account already login in other device" in current user login
Problem:
You can't really tell when the user is still logged in because the stateless server.
Lets say I log in inside an incognito window. When I close the session cookie is deleted.
But on the server it's still exists. How do you tell I'm actually logged in or not?
Solution:
You can make a heartbeat request to the server and log the activity.
So you have a JS code sending request in every minute so you know the user is online. Also in every request you set the cookie as well.
So you log the last activity time in every minute and every request.
When the user tries to log in you check if the logged activity is older than two minutes.
I have used the Google Identity API to sign in to the user. It works perfectly while signing in.
But the sign-out doesn't work I don't know why.
This is the sign-out code:
const button = document.getElementById('signout_button');
button.onclick = () => {
google.accounts.id.disableAutoSelect();
console.log('logged out');
};
But it doesn't work even if press the button.
I want this google box to turn into the button sign in after I sign out but it doesnt work:
You're doing the right thing by calling disableAutoSelect() in your sign-out onclick handler, but it only applies to and controls the behavior for the automatic sign-in button. It doesn't affect One Tap or the Sign In With Google button.
To further clarify what it means to be signed in... there are two user sessions:
between the user and their Google Account
between the user and your app
You'll manage 2, but 1 is not managed by you. For 1 users may be signed into their Google Account from a tab, the browser, or a device/OS. This establishes which Google Account has an active session. The state of this session is independent from 2 where you're managing sign-in or sign-out status for your app.
For case 2: sign-in to your site you'll receive a JWT from Google after user consent and can proceed with changing the sign in state for your app. One means of track sign-in state is using cookies. To make this easier to manage in HTML, the data-skip_prompt_cookie attribute is available to enable you to use a cookie to control if the One Tap popup, automatic sign-in option will be displayed, or not. You'd normally want to suppress the popup if the user is signed-in... and the cookie value tracks signed-in status. If you're using JavaScript your simply skip calling google.accounts.id.prompt to not force the user to sign-in again if they're already signed into your site.
OK. Now that we've gone over a couple methods to establish 2. we can get to what it means to be signed out of your site...
To sign-out, from your button.onclick handler either clear the data-skip_prompt_cookie or change the status if you are using JavaScript to tracking session state using your back end. This then will enable you to display One Tap popup or Automatic sign-in prompt to signed-out users on their return visit to your site. The absence of the cookie means the sign-in prompts will be displayed, or your JS code will call google.accounts.id.prompt to display the sign-in prompts.
Now to be really thorough there is one more scenario to be aware of. If a user wants to delete their account from your site you'll want to use google.accounts.id.revoke to revoke consent to share their profile. Doing this will stop the JWT from being shared when One Tap, automatic sign-in or Sign In With Google buttons are used. Instead, the flow will restart and the user will be prompted to choose a Google Account and consent--effectively restarting your sign-in flow for 2.
I am creating a login for my chrome extension where I am going to be using the firebase email and password.
I am going to be putting the create User firebase code on my website and when someone can enter in there email and the script will create a random set of digits and set that as the password. It will then email that password to the user and the user uses the email he entered and the random digit password he received via email to login.
My question is If a user signs up and then logs in with his email and password. Whats to stop him from giving that email and password to his friend and he also logs in. I want to control the amount of users I allow within my chrome extension and only want the person who logged in to use the chrome extension (I want so the login can only be used once) Is this possible for firebase or not?
Also If anyone knows a simpler method than that I described above with sending the email please let me know becuase to do that above I have to create something that sends an email and creates the password.
I would also like to know if firebase has something where I can set a date on a user and after that date passes the user is logged out and has to register again.
But my main question is that if a user where to register if he has the ability to share the login with his friend or if only he can use it.
I really appreciate your reply and help on my issue in advance Thanks A lot.
You'll likely have to do this from the server side (e.g. in a Cloud Function).
One option would be to use the session management features in the auth admin SDK: https://firebase.google.com/docs/auth/admin/manage-sessions - if you report back from the extension with the logged in user, you can revoke access for users who are seen in too many places at the same time. This limit might not be 1 - you may want to allow your users to log in on multiple machines at once.
For even more control, look at the option for managing your own session cookie: https://firebase.google.com/docs/auth/admin/manage-cookies - this allows you to set your own expiry and control the logged in state more granularly.
I have an app for user authentication and I ran into this issue where I have user who logged in and has the JWT (JsonWebToken) stored in the cookie. I stored the cookie after I validated the user. Next I, as the admin, remove that user from the database while he/she is still logged in. The since user is still logged, the user has a valid JWT in the browser, so it still thinks that it exists because the way I validate if a user is logged in is through the webtoken. I have been thinking about how to fix this but I haven been able to come up with anything yet.
I also posted this issue on GitHub.
Take a look at Invalidating JSON Web Tokens
There are several techniques to invalidate a JWT token before its expiration when the user situation has changed and you can not not remove from localStorage/cookie: account deleted/blocked/suspended, password changed, permissions changed, user logged out by admin:
Token blacklist: Store tokens that were between logout & expiry time, mark expired and check it in every request. You need server storage. You can include only the ID or use the issued time field. Tokens issued before last update of user would be invalid
Expiry times short and rotate them. Issue a new one every few request. The problem is to maintain user logged when there are no requests (for example closing browser)
Other common techniques:
Allow change user unique ID if account is compromised with a new user&password login
Include last login date to remove old tokens
To invalidate tokens when user changes their password, sign the token with a hash of their password. If the password changes, any previous tokens automatically fail to verify. Extend this mechanism with other field of interest to sign. The downside is that it requires access to the database
One way would be to make the cookie expire by settings its expiration timestamp to a date that has already passed.
I integrated Google Sign-In on my website.
However, if I visit my website again without cleaning the history of the browser, it automatically signs in the website and moves to the redirected page.
If I sign out and go back to the sign in page, it does not automatically signs in, however, if I click the Google Sign-In button, it does not ask me my account and password and send me to the redirected page.
I want to make the browser stay at the sign-in page until a user clicks the Google Sign-In button. Also, I want it to ask a user her/his account and password every time.
How can I do that?
Thank you.
Last Part: I want it to ask a user her/his account and password every time. :
If user has authenticated the app (Give permission on first time), then it will not ask for username or password from next time that is 'Allow Access' page will not come. (Given User is also SignedIn in browser with same google account)
However if user is not signed in, then Google will ask to Sign in through pop up window.
First Part : Only cleaning the history will not help. Try clearing Cache of the browser (Ctl-Shft-Del shortcut).