Twitter Session Even After Logout are Persistent

[chiragbhatia94]

My environment

• Android device: Moto G3
• Android OS version: Nougat 7.1.1
• Google Play Services version: 10.2.98
• Firebase/Play Services SDK version: 1.2.0
• FirebaseUI version: 1.2.0

Describe the problem:
Once a user logs in using twitter as a provider. Its twitter session is persistent even after he logs out of the firebase account.

Changes required in
com.firebase.ui.auth.provider.TwitterProvider

Proposed solution:
It can be removed by flushing the cookies everytime we call TwitterProvider.startLogin function

This reduces the effort for logging out every time you want to login using different user account
This is similar to what it is there in GoogleProvider

Relevant Code:

Problem starts here
@OverRide
public void startLogin(Activity activity) {
mTwitterAuthClient.authorize(activity, this);
}

Solution
@SuppressWarnings("deprecation")
private static void clearCookies(Context context) {

    if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP_MR1) {
        Log.d(TAG, "Using clearCookies code for API >=" + String.valueOf(Build.VERSION_CODES
                .LOLLIPOP_MR1));
        CookieManager.getInstance().removeAllCookies(null);
        CookieManager.getInstance().flush();
    } else {
        Log.d(TAG, "Using clearCookies code for API <" + String.valueOf(Build.VERSION_CODES
                .LOLLIPOP_MR1));
        CookieSyncManager cookieSyncMngr = CookieSyncManager.createInstance(context);
        cookieSyncMngr.startSync();
        CookieManager cookieManager = CookieManager.getInstance();
        cookieManager.removeAllCookie();
        cookieManager.removeSessionCookie();
        cookieSyncMngr.stopSync();
        cookieSyncMngr.sync();
    }
}

@OverRide
public void startLogin(Activity activity) {
clearCookies(activity);
mTwitterAuthClient.authorize(activity, this);
}

[samtstern]

@chiragbhatia94 yikes, this is a pretty obvious miss by us. Can't believe we went so long with this behavior!

In the signOut function, looks like we're only calling Facebook, Google, and Firebase sign out:
https://github.com/firebase/FirebaseUI-Android/blob/master/auth/src/main/java/com/firebase/ui/auth/AuthUI.java#L165

[chiragbhatia94]

@samtstern I noticed this right now, similar issue is with facebook login..

[samtstern]

@chiragbhatia94 do you have the Facebook app installed? If you don't then Facebook login uses the Chrome webview implementation which has cookies, so we can't initiate a full sign out of Facebook in that case. We can only clear the app session.

[chiragbhatia94]

@samtstern sir then this is a security issue. Instead of using the chromes web view we should use android's native webview that is usually used with facebook login (in case one is not using firebase)

[chiragbhatia94]

this is from one of my other projects in which I used facebook login using firebase without authui... and this does not store the session details

[SUPERCILEX]

@chiragbhatia94 I don't think we don't want that because it provides poor user experience. Using Chrome Custom Tabs allows the user to retrieve a stored session thus removing the need for them to sign in yet again. However, I think you can disable CCT by adding this to your manifest:

<activity
    android:name="com.facebook.CustomTabActivity"
    android:exported="true"
    tools:node="remove"/>

[SUPERCILEX]

@chiragbhatia94 See #645, it should fix this issue!

[ahaverty]

I'm seeing strange issues with facebook login in FirebaseUi v1.2.0:

1. On logging in with facebook
2. logging out with the following (verifying it works and CompleteListener is called)

AuthUI.getInstance()
                .signOut(this)
                .addOnCompleteListener(task -> {
                    if (task.isSuccessful()) {
                        finish();
                    } else {
                        Toast.makeText(this, R.string.sign_out_failed, Toast.LENGTH_LONG).show();
                    }
                });

3. Uninstalling and reinstalling
4. On launch, the first thing I do is call FirebaseAuth.getInstance().getCurrentUser() which returns the user that I had logged out before reinstalling
5. Additionally: If I retry these steps, and instead of uninstall/reinstall in step 3, I just kill the app and relaunch, I'm getting null for FirebaseAuth.getInstance().getCurrentUser()

Before I do any more digging/raising an issue, is this issue or PR related?

Just to note, I'm also allowing backup in my manifest with android:allowBackup="true"

[samtstern]

@ahaverty please raise a new issue for what you're seeing, definitely seems strange but not quite sure yet.

[SUPERCILEX]

@samtstern @ahaverty I've seen this before and I believe it is due to the auto app backup introduced in M. Try going to Google Drive and deleting the backup and you should hopefully see that the user isn't logged in when you reinstall.