firebase · avishalom · Jan 29, 2018 · Jan 26, 2018 · Jan 26, 2018 · Jan 26, 2018
diff --git a/src/auth/auth-api-request.ts b/src/auth/auth-api-request.ts
@@ -536,6 +536,9 @@ export class FirebaseAuthRequestHandler {
  * In addition to revoking all refresh tokens for a user, all ID tokens issued
  * before revocation will also be revoked on the Auth backend. Any request with an
  * ID token generated before revocation will be rejected with a token expired error.
+ * Note that due to the fact that the timestamp is stored in seconds, any tokens minted in
+ * the same second as the revocation will still be valid. If there is a chance that a token
+ * was minted in the last second, delay for 1 second before revoking.
  *
  * @param {string} uid The user whose tokens are to be revoked.
  * @return {Promise<string>} A promise that resolves when the operation completes

diff --git a/test/integration/auth.spec.ts b/test/integration/auth.spec.ts
@@ -167,7 +167,9 @@ describe('admin.auth', () => {
  })
  .then((decodedIdToken) => {
  // Verification should succeed. Revoke that user's session.
- return admin.auth().revokeRefreshTokens(decodedIdToken.sub);
+ return new Promise((resolve) => setTimeout(() => resolve(
+ admin.auth().revokeRefreshTokens(decodedIdToken.sub)
+ ), 1000));
  })
  .then(() => {
  // verifyIdToken without checking revocation should still succeed.