Class FirebaseAuth

java.lang.Object
com.codename1.social.FirebaseAuth
public final class FirebaseAuth extends Object

Firebase Authentication client backed by the Identity Toolkit REST API. Firebase is not an OIDC provider per se -- it issues its own ID tokens minted by Google's Identity Toolkit -- so this class does not extend Login; it stands alone with its own state.

Supports the three flows that work without the Firebase native SDK:

  • signInWithEmailAndPassword(email, password) (Email/Password provider)
  • signUp(email, password) (creates a new account)
  • refresh(refreshToken) (uses the Secure Token Service endpoint)

For federated sign-in (Google, Apple, Microsoft, etc.) use the matching *Connect class to obtain an OIDC ID token, then call signInWithIdpIdToken(String, String) to swap it for a Firebase token.

Tokens are persisted to Preferences under a cn1.firebase.* namespace. They are not encrypted-at-rest by default -- bring your own TokenStore strategy if that matters to you.

Since:
7.0.245

  • Method Details

    • getInstance

      public static FirebaseAuth getInstance()

    • withApiKey

      public FirebaseAuth withApiKey(String apiKey)
      The Web API key from the Firebase console (Project Settings -> General -> Your apps -> Web API key). Required before any of the sign-in methods will work.

    • getUid

      public String getUid()
      Last-known Firebase user identifier (localId from Firebase's REST API), or null if no one is signed in.

    • getIdToken

      public String getIdToken()
      Currently-stored Firebase ID token. Call refresh() if it is expired or signInWithEmailAndPassword(String, String) for a fresh session.

    • isSignedIn

      public boolean isSignedIn()
      true if a token is stored and not past its expiry.

    • signOut

      public void signOut()
      Clears the locally stored Firebase session. Does not revoke the refresh token on Google's side.

    • signInWithEmailAndPassword

      public AsyncResource<FirebaseAuth.FirebaseUser> signInWithEmailAndPassword(String email, String password)
      Email + password sign-in via Identity Toolkit's accounts:signInWithPassword endpoint.

    • signUp

      public AsyncResource<FirebaseAuth.FirebaseUser> signUp(String email, String password)
      Creates a new account via accounts:signUp. Returns the new FirebaseAuth.FirebaseUser just like signInWithEmailAndPassword(String, String).

    • signInWithIdpIdToken

      public AsyncResource<FirebaseAuth.FirebaseUser> signInWithIdpIdToken(String idToken, String providerId)
      Exchanges an OIDC ID token obtained via GoogleConnect, AppleSignIn, MicrosoftConnect or similar for a Firebase session. providerId must be a Firebase-recognised identifier such as "google.com", "apple.com", "microsoft.com", "facebook.com", "twitter.com".

    • refresh

      public AsyncResource<FirebaseAuth.FirebaseUser> refresh()
      Refreshes the stored session using the saved refresh token. Falls through with the currently-cached FirebaseAuth.FirebaseUser when no refresh token is on file.

    • refresh

      public AsyncResource<FirebaseAuth.FirebaseUser> refresh(String refreshToken)
      Same as refresh() but takes an explicit refresh token. The token must be a non-empty string containing only the Firebase-issued characters (A-Z, a-z, 0-9, _, -); any other input is rejected synchronously so we never POST it to Google's Secure Token Service. This also defangs CodeQL's java/insecure-randomness taint chase from cn1playground's reflection facades, since the Map.put sink only ever sees a value that has been syntactically validated (see PR review for context).

    • requireFirebaseToken

      public static String requireFirebaseToken(String token)

      Sanitiser for refresh-token-shaped strings. Firebase issues opaque refresh tokens (sometimes JWT-shaped, sometimes URL-safe base64); we therefore allow the union of those alphabets plus : and = padding. Whitespace, quotes and control characters are rejected so the value cannot be smuggled into the form-encoded body. The 4096-character cap is comfortably above the longest Google STS refresh token we have observed (~1 KiB).

      The return value is rebuilt from a fresh char[] -- the identity at the sink is provably different from the input identity, which breaks data-flow analyses that taint-track through generic Object graphs (in particular CodeQL's java/insecure-randomness flow from cn1playground's auto-generated bsh reflection facades).

      Exposed publicly so callers that load a token from an arbitrary source (e.g. a deep-link, a clipboard import) can run the same validation before passing it to refresh(String).