When (not) to use this package -

[kevinnammour]

In next-firebase-auth README.md file, it was specified that:

If your app needs the Firebase user for SSR (but does not need the ID token server side), you could consider one of these approaches:

1. On the client, set a JavaScript cookie with the Firebase user information once the Firebase JS SDK loads.
   - Pros: You won't need login/logout API endpoints. You can structure the authed user data however you'd like.
   - Cons: The cookie will be unsigned and accessible to other JavaScript, making this approach less secure. You won't always have access to the Firebase ID token server side, so you won't be able to access other Firebase services. (Note that you can set the ID token in the cookie, but it will expire after an hour and be invalid for future server-side-rendered pages.)

2. Use Firebase's session cookies.
   - Pros: It removes this package as a dependency.
   - Cons: You won't have access to the Firebase ID token server side, so you won't be able to access other Firebase services. You'll need to implement the logic for verifying the session and managing the session state.

@kmjennison I want to use this library but since it's not yet stable with firebase v9, I have to go with the second approach you provided. However, I wanted to ask you if that was really an alternative that one would seek to. In firebase session cookies documentation, they indicated to set the client auth state to none since the session cookie is stored in a httpOnly cookie. If so, how can I access firebase SDK services such as firestore and storage from the client side if there is no auth state.

What I need for my application is a consistent state on the client and the server (However, I only need the user token in SSR, and not for server side api requests). Can you ellaborate on what you mean by using firebase session cookie as an alternative to be able to access the user client side and in SSR.

I know I shouldn't be asking this here, but I just wanted to know what u meant by using firebase session cookies as an alternative.

[kmjennison]

@kevinnammour I don't see a reason the Firebase client-side auth can't be used in conjunction with Firebase session cookies. The Firebase docs might just be focusing on a cookie-only approach when they suggest not persisting auth on the client. However, I might be missing something that would cause a problem with that setup—I'm not sure.

As for this package, I'm hoping to get out a stable version soon, time-permitting! There's not much left on the v1 roadmap: #265