are you using cookie-parser?
1 Like
Using Redirects instead of Cookies
Hey yall, thanks for all the guidance, I got stuck with the cookie approach because my server is on a different domain and safari is at war with third party cookies. Iāve written up a stack overflow Q&A with a redirect approach, happy authenticating! 
Just to say that Iād be very intersted too to have an easy integration of firebase authentification into discourse.
Hmm, what is the purpose of doing this exactly? Are you not using firebase authentication elsewhere in a webapp apart from discourse? I am and donāt want to mess with that setting, I would prefer it as ālocalā (Authentication State Persistence | Firebase)
Just some notes for others that go down this path:
- call your cookie ā__sessionā if you use firebase hosting. The rewrite rules filter out all other cookies for caching purposes.
- you want to replace the relevant code above with something like this so that you donāt allow unvalidated emails (big security risk).
auth
.verifyIdToken(idToken)
.then(function (decodedClaims) {
// In this case, we are enforcing that the user signed in in the last 5 minutes.
// and they have a verified email
if (
decodedClaims.email_verified &&
new Date().getTime() / 1000 - decodedClaims.auth_time < 5 * 60
) {
return auth.createSessionCookie(idToken, { expiresIn });
}
throw new Error("UNAUTHORIZED REQUEST!");
})
- there is a ālogout redirectā setting in discourse. You probably want to use this to hit a URL that clears the __session cookie (can only be done via a backend api call) so the user isnāt automatically logged in as the same user as before when they try to login again.
1 Like
Where can you implement this code?