Delay promise for revoke (#195)

avishalom · web-flow · commit 53d68edf1316 · 2018-01-29T18:36:38.000-05:00
* adding a 1 second delay before revoking a token
diff --git a/src/auth/auth-api-request.ts b/src/auth/auth-api-request.ts
@@ -536,6 +536,9 @@ export class FirebaseAuthRequestHandler {
    * In addition to revoking all refresh tokens for a user, all ID tokens issued
    * before revocation will also be revoked on the Auth backend. Any request with an
    * ID token generated before revocation will be rejected with a token expired error.
+   * Note that due to the fact that the timestamp is stored in seconds, any tokens minted in
+   * the same second as the revocation will still be valid. If there is a chance that a token
+   * was minted in the last second, delay for 1 second before revoking.
    *
    * @param {string} uid The user whose tokens are to be revoked.
    * @return {Promise<string>} A promise that resolves when the operation completes
diff --git a/test/integration/auth.spec.ts b/test/integration/auth.spec.ts
@@ -167,7 +167,9 @@ describe('admin.auth', () => {
       })
       .then((decodedIdToken) => {
         // Verification should succeed. Revoke that user's session.
-        return admin.auth().revokeRefreshTokens(decodedIdToken.sub);
+        return new Promise((resolve) => setTimeout(() => resolve(
+          admin.auth().revokeRefreshTokens(decodedIdToken.sub)
+        ), 1000));
       })
       .then(() => {
         // verifyIdToken without checking revocation should still succeed.
