We are developing a system where the client (mobile app) communicates with mostly with a node.js backend and sometimes with firebase directly.
One of the features is peer to peer messaging and we are using ChatSDK on the client side to integrate Firebase. We are having some difficulties understanding custom authentication with ChatSDK.
What we want is a user to be able to register and sign in (Email,Facebook, Google) using the ChatSDK. Our backend authenticates client calls using admin sdk’s verifyToken function. The token expires every hour - should client be grabbing a new token every hour? How does the refresh token come into play here?
We do have an endpoint on our server which can generate a custom token using createCustomToken(uid) function. Should the user first register with the chatSDK then use this endpoint to grab the token? Is this a security concern that all someone needs is a user’s id to grab a token to access sensitive data through HTTP endpoints?
1) How can we grab Token from the chatSDK alone? 2) How does a user ensure it always has a valid token to communicate with node.js backend?