Auth Flow

If you use SSR, the flow is slightly different from what you may be used.

Typically, Firebase allows signing users in on the client-side. If you use SSR, we need a way to authenticate the user on the server-side.

To do so, we use Firebase Auth's session cookies: we create the cookie when the user signs in and then destroy it when the user signs out.

Step 1: User signs in using the client SDK

The user can sign in (or up) using the Firebase Auth client SDK from the client side.

After being authenticated (signing in or up), the application requests to create and store a session cookie.

The cookie is stored as an HTTP-only cookie and will be sent to the server, so we can authenticate users right when we render the page.

When needed, we can perform the necessary redirects and security checks server-side.

Step 3: Page Rendering

The application renders a session-aware page if you have opted to use SSR on every page. Otherwise, the Firebase SDK should reflect the current session once the page has been rendered.

Step 4: User signs out

The client SDK starts a sign-out request when the user decides to sign out.

When Firestore Auth destroys the current user session, the event is intercepted by a listener and then calls the API endpoint to destroy the session cookie.