Class FirebaseAuth

java.lang.Object
com.codename1.social.FirebaseAuth
public final class FirebaseAuth extends Object

Firebase Authentication client backed by the Identity Toolkit REST API. Firebase is not an OIDC provider per se -- it issues its own ID tokens minted by Google's Identity Toolkit -- so this class does not extend Login; it stands alone with its own state.

Supports the three flows that work without the Firebase native SDK:

  • signInWithEmailAndPassword(email, password) (Email/Password provider)
  • signUp(email, password) (creates a new account)
  • refresh(refreshToken) (uses the Secure Token Service endpoint)

For federated sign-in (Google, Apple, Microsoft, etc.) use the matching *Connect class to obtain an OIDC ID token, then call signInWithIdpIdToken(String, String) to swap it for a Firebase token.

Tokens are persisted to Preferences under a cn1.firebase.* namespace. They are not encrypted-at-rest by default -- bring your own TokenStore strategy if that matters to you.

Since:
7.0.245

  • Method Details

    • getInstance

      public static FirebaseAuth getInstance()

    • withApiKey

      public FirebaseAuth withApiKey(String apiKey)
      The Web API key from the Firebase console (Project Settings -> General -> Your apps -> Web API key). Required before any of the sign-in methods will work.

    • getUid

      public String getUid()
      Last-known Firebase user identifier (localId from Firebase's REST API), or null if no one is signed in.

    • getIdToken

      public String getIdToken()
      Currently-stored Firebase ID token. Call refresh() if it is expired or signInWithEmailAndPassword(String, String) for a fresh session.

    • isSignedIn

      public boolean isSignedIn()
      true if a token is stored and not past its expiry.

    • signOut

      public void signOut()
      Clears the locally stored Firebase session. Does not revoke the refresh token on Google's side.

    • signInWithEmailAndPassword

      public AsyncResource<FirebaseAuth.FirebaseUser> signInWithEmailAndPassword(String email, String password)
      Email + password sign-in via Identity Toolkit's accounts:signInWithPassword endpoint.

    • signUp

      public AsyncResource<FirebaseAuth.FirebaseUser> signUp(String email, String password)
      Creates a new account via accounts:signUp. Returns the new FirebaseAuth.FirebaseUser just like signInWithEmailAndPassword(String, String).

    • signInWithIdpIdToken

      public AsyncResource<FirebaseAuth.FirebaseUser> signInWithIdpIdToken(String idToken, String providerId)
      Exchanges an OIDC ID token obtained via GoogleConnect, AppleSignIn, MicrosoftConnect or similar for a Firebase session. providerId must be a Firebase-recognised identifier such as "google.com", "apple.com", "microsoft.com", "facebook.com", "twitter.com".

    • registerPasskey

      public AsyncResource<FirebaseAuth.FirebaseUser> registerPasskey(String name)

      Enrolls a passkey for the currently signed-in Firebase user via the Identity Toolkit v2 passkey endpoints. The user must already be signed in (Firebase passkeys cannot exist without an underlying account); call signInWithEmailAndPassword(String, String) or signInWithIdpIdToken(String, String) first.

      name is the human-friendly label shown on the OS passkey sheet (e.g. "Alice's iPhone"); pass null to let the OS pick one.

      Requires Identity Platform (the upgraded Firebase Auth tier) with passkeys enabled in the console. The classic Firebase Auth tier does not expose passkey endpoints.

      Since:
      7.0.245

    • signInWithPasskey

      public AsyncResource<FirebaseAuth.FirebaseUser> signInWithPasskey()

      Signs the user in with an existing passkey via the Identity Toolkit v2 passkey sign-in endpoints. Returns a FirebaseAuth.FirebaseUser with fresh ID + refresh tokens, persisted via the same store as the other sign-in methods.

      Available wherever WebAuthnClient.isSupported() returns true.

      Since:
      7.0.245

    • refresh

      public AsyncResource<FirebaseAuth.FirebaseUser> refresh()
      Refreshes the stored session using the saved refresh token. Falls through with the currently-cached FirebaseAuth.FirebaseUser when no refresh token is on file.

    • refresh

      public AsyncResource<FirebaseAuth.FirebaseUser> refresh(String refreshToken)
      Same as refresh() but takes an explicit refresh token. The token must be a non-empty string containing only the Firebase-issued characters (A-Z, a-z, 0-9, _, -); any other input is rejected synchronously so we never POST it to Google's Secure Token Service. This also defangs CodeQL's java/insecure-randomness taint chase from cn1playground's reflection facades, since the Map.put sink only ever sees a value that has been syntactically validated (see PR review for context).

    • requireFirebaseToken

      public static String requireFirebaseToken(String token)

      Sanitiser for refresh-token-shaped strings. Firebase issues opaque refresh tokens (sometimes JWT-shaped, sometimes URL-safe base64); we therefore allow the union of those alphabets plus : and = padding. Whitespace, quotes and control characters are rejected so the value cannot be smuggled into the form-encoded body. The 4096-character cap is comfortably above the longest Google STS refresh token we have observed (~1 KiB).

      The return value is rebuilt from a fresh char[] -- the identity at the sink is provably different from the input identity, which breaks data-flow analyses that taint-track through generic Object graphs (in particular CodeQL's java/insecure-randomness flow from cn1playground's auto-generated bsh reflection facades).

      Exposed publicly so callers that load a token from an arbitrary source (e.g. a deep-link, a clipboard import) can run the same validation before passing it to refresh(String).