I'm working with Firestore security rules and I've set up rules to restrict read and write access to authenticated users. However, I'm wondering about the behavior of the requires-recent-login error in Firebase when it comes to long-term authenticated users.
For instance, if a user has been logged in for, let's say, 2 months, will Firebase eventually trigger the requires-recent-login error upon attempting to read or write data or other error? Or does Firebase allow users to perform queries indefinitely as long as they are authenticated?
I'm also curious if Firebase imposes any limitations on this login timeframe, or if there's a way to establish a rule that enforces an expiration time for query access. For example, could I implement a rule that only permits read and/or write actions if the user's login is less than 2 months? Any insights or suggestions on how to approach this scenario would be greatly appreciated.
Once a user is signed in to Firebase, they in principle stay signed in indefinitely. In this flow, the refresh token will stay the same - and the Firebase SDK will generate a new ID token every hour or so.
When performing certain sensitive actions (deleting the account, changing password, etc), Firebase may require the user to provide their credentials again. As said on your previous questions, this does not make any change to the user's authentication state, but merely reestablishes the credentials of a already signed in user before allowing the sensitive operation.
If you want to require a recent login in your own backend code, you can decode and verify the ID token and check from that when the last login happened. If you just want to see what the information looks like, you can capture an ID token at any point in the app - and decode it with jwt.io too.