Would it be possible to have a "Remember me" feature ?

[tlays]

Currently, when using this library, after you close the browser entirely, the cookies remain in the cache. Then next time you open the browser and try to access a page with authentication, the cookies are cleared and the user is unAuthenticated => this is great.

However, do you think it would be possible to have a "Remember me" option at login, so that when after the browser is fully closed, when the user comes back he could stay authenticated.

We would have to manually instantiate firebase/auth and create the "CurrentUser" using a refreshed security token from the cookie session ... but @kmjennison is it possible ?

Thanks

[kmjennison]

@tlays In this package, the Firebase JS SDK is the source of truth for auth, so the cookies will set/unset depending on Firebase's auth status.

Indefinite authentication: By default, Firebase should persist authentication locally that lives beyond the session (see Firebase persistence docs). If you're signed out after closing the session, you probably have to look at your Firebase settings or ensure your browser isn't clearing local storage on close. next-firebase-auth also defaults to keeping auth cookies for 1 week, so it will also keep the user authenticated by default.

Session authentication: If you set Firebase JS SDK to session storage, you should also make sure next-firebase-auth cookies will also clear after the session. You can do that by setting the maxAge and expires properties to undefined in the cookies object of the config. For more info, see cookies documentation. If closing your browser clears Firebase JS SDK auth but does not remove the cookies, you're correct that the cookies will be unset the next time you load the app—but for security, you probably don't want the cookies still set until then.

[tlays]

Thanks for the detailed reply @kmjennison ... and you're right, I had this line of code in one of my pages that I forgot to cleanup firebaseClient.auth().setPersistence(firebaseClient.auth.Auth.Persistence.SESSION); ... which obviously was killing the session when closing the browser. I thought that "killing the session after browser close" was an intended behaviour of this module, but it turns out it was just my mistake. 😅 With that line gone, the user remains indeed authenticated even after the browser is closed.

It makes total sense that this package considers the Firebase JS SDK as the source of truth for auth, and therefore I agree, a "remember me" option should not be a feature of this module. It can easily be built on top of the Firebase SDK outside of this module.