Skip to content
Toprent.app Docs

Firebase token refresh — investigation

This folder collects the investigation conducted in April 2026 into the Firebase token refresh flow on the main portal. It is preserved here for reference; the documents are not active planning artefacts.

Background

The CTO reported that the Firebase token refresh procedure was not behaving as expected. A code-based audit was performed to identify the actual mechanism, locate the failure modes, and propose remediation.

Originating ticket: TOP-4907 — Analyse the Firebase refresh token approach and recommend a way.

People

  • Owner: Stefano Susini
  • Contributor: w01fgang (PR review feedback that materially shaped both documents)

Documents

  • 2026-04-27-firebase-token-refresh-findings.md — Eight findings, with file/line evidence, severity, suggested solution, and rationale, plus a recommended order of work. Outcome: accepted by the team; fixes scheduled for follow-up implementation.
  • 2026-04-27-firebase-session-cookies-exploration.md — A structural alternative analysed alongside the findings: migrating to Firebase session cookies (createSessionCookie) instead of patching the current ID-token refresh flow. Includes per-attack threat-model comparison and a two-iteration migration sketch (basic migration + optional Persistence.NONE follow-up). Outcome: not scheduled; retained as informational reference.

How to use this folder

  • When implementing the findings, treat the findings doc as the source of truth for the failure modes and the suggested fixes.
  • When the team revisits session-cookie migration in the future, start from the exploration doc — it documents the trade-offs, the open questions, and the call-site inventory that would be needed.
  • If either decision changes, update the Status banner at the top of the relevant document and add a short note here describing the change.