Description
[REQUIRED] Describe your environment
- Operating System version: N/A
- Browser version: N/A
- Firebase SDK version: 8.2.3
- Firebase Product: auth
[REQUIRED] Describe the problem
firebase.User.getIdToken()'s docs do not describe how the Promise it returns can reject. I'm guessing at least the following cases can exist:
- The user was deleted
- The user was disabled
- The admin SDK revoked their refresh token
- Any internal error
Any app that has non-Firebase backend APIs and needs to authenticate those API requests needs to call getIdToken() on the client. They may be able to get away without addressing when the Promise rejects for a while, at least until they need to deactivate spammers, revoke a user's refresh token due to suspicious activity, etc.
Reading through the source, it appears there could be more cases, and it's not clear how to identify these errors on the client (what are the error.code values?). I'm looking at fireauth.AuthUser.prototype.getIdToken, which calls into fireauth.StsTokenManager.prototype.getToken. That method will reject with fireauth.authenum.Error.TOKEN_EXPIRED if the refresh token is missing. But it calls into fireauth.RpcHandler.prototype.requestStsToken which can throw fireauth.authenum.Error.NETWORK_REQUEST_FAILED as well as any error from fireauth.RpcHandler.getDeveloperError_, which is just a general error translation function and not really helpful for understanding how requestStsToken can fail.
Given that getIdToken()'s Promise rejecting doesn't automatically sign out a user, might also be good to include a note on how to best handle each error (i.e. signing out the user yourself or prompting them for their password).
It'd be helpful to update the sample code here https://firebase.google.com/docs/auth/admin/verify-id-tokens#retrieve_id_tokens_on_clients with the various situations as well.