Renew tokens via Firebase refresh token instead of replaying stored password#2
Open
dcaslin wants to merge 1 commit into
Open
Renew tokens via Firebase refresh token instead of replaying stored password#2dcaslin wants to merge 1 commit into
dcaslin wants to merge 1 commit into
Conversation
Firebase ID tokens are short-lived; the client previously kept sessions
alive by persisting the plaintext email + password and replaying them on
a 403. This stores an unnecessary credential at rest and isn't how
Firebase is meant to refresh.
- Capture refreshToken from the login response
- Add _refresh_session() to exchange the refresh token at the Firebase
secure-token endpoint for a fresh ID token
- _post()'s 403 handler now refreshes via the token grant first, falling
back to password re-login only if credentials remain in memory
- save_session()/load_session() persist {token, refresh_token} and no
longer write the plaintext password to disk
Adds a test suite (pytest) covering login capture, session persistence,
the refresh exchange, and the 403 refresh-and-retry path, using a small
version-independent fake ClientSession.
Closes Alex-Keyes#1
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
7 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #1.
BoostcampAPIkept sessions alive by persisting the plaintext email + password and replaying them on a403. This switches to the Firebase-native refresh-token flow, so the password is never written to disk.Changes
login()now keepsrefreshTokenfrom the Firebase sign-in response (previously discarded)._refresh_session()POSTsgrant_type=refresh_tokento the Firebase secure-token endpoint (https://securetoken.googleapis.com/v1/token?key=<API_KEY>, reusing the existingFIREBASE_API_KEY) and adopts the returnedid_token/refresh_token._post()'s 403 handler now refreshes via the token grant first, retrying with the new token. Password re-login (_re_login()) is kept only as an in-memory fallback for credentials still held in the live process — it is never persisted.save_session()/load_session()now store{token, refresh_token}instead of{token, email, password}.Design notes
403) rather than proactive refresh viaexpiresIn, to mirror the existing retry structure and keep the change focused.expiresInis available in the response if proactive renewal is wanted later.email/password) still load — those keys are simply ignored. The firstsave_session()rewrites the file without the password.Tests
Adds a
pytestsuite (the repo had none) covering token capture, session persistence excluding the password, the refresh exchange, and the 403 refresh-and-retry path. Tests use a small version-independent fakeClientSession(aioresponses doesn't track recent aiohttp releases).Run with
pip install -r requirements-dev.txt && pytest.🤖 Generated with Claude Code