Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How can I verify firebase token server side?

Tags:

rest

authentication

php

firebase

firebase-authentication

I have a firebase account where I manually create the users who will be abled to use my site (sign up is not public, but it is not relevant to this inquiry)

In the login page, the authentication is through javascript.
Once the user enters their mail and password the corresponding function is executed, I get the token and I send it to my PHP server via url redirection. Something like this:

firebase.auth().signInWithEmailAndPassword(inputemail, inputpassw)
    .then( function(user) {

        myEmail = user.email;
        myUid = user.uid;

        user.getIdToken()
            .then( function(token){
                myToken = token;

                location.href = "http://www.example.com/verify?email="+myEmail+"&token="+myToken+"&uid="+myUid;

            });

    }, function (error) {
       ...
    });

Then, on my server I will have the mail, the uid, and the token.
So, my question is:
How do I verify that the token is valid? It is impossible?
I know the token is encrypted, but the key is public... so anyone could make a valid token!
I mean, for instance, I have an expired token, I can decode it, change the expiration time, encode it again and gain access to my server without knowing any password

Is there something I'm missing?

Apparently I can not verify the token via REST.
What alternative do I have?

like image 638
Leonardo Javier Avatar asked Dec 15 '25 04:12

Leonardo Javier

1 Answers

From the Firebase Documentation:

The Firebase Admin SDK has a built-in method for verifying and decoding ID tokens. If the provided ID token has the correct format, is not expired, and is properly signed, the method returns the decoded ID token. You can grab the uid of the user or device from the decoded token.

So, you do not need to worry about someone trying to generate fake tokens.

To verify the token in PHP, as described in the docs Firebase Admin SDK for PHP

Minimal code for verifying the token:

use Kreait\Firebase;
use Firebase\Auth\Token\Exception\InvalidToken;

//create Firebase factory object
//$firebase = (new Firebase\Factory())->create();

//get a token from client 
//$idTokenString = 'eyJhbGciOiJSUzI1...';

try {
    $verifiedIdToken = $firebase->getAuth()->verifyIdToken($idTokenString);
} catch (InvalidToken $e) {
    echo $e->getMessage();
}

$uid = $verifiedIdToken->getClaim('sub');
$user = $firebase->getAuth()->getUser($uid);
echo $user;
like image 153
Mann Avatar answered Dec 16 '25 21:12

Mann
Sign in to Comment

Related questions

Import content between Twig files
Move custom saved amount below the price in Woocommerce simple products
Send custom email using WooCommerce template from a custom plugin
Scroll to person name on a webpage if first letter of name is pressed on keyboard
How can i secure this API in an APK file
Syntax Error in concat echo statement and html code
POST using cURL and x-www-form-urlencoded in PHP returning Access Denied
Laravel: Custom login redirects to /home instead of a /welcome page
MySQL for selecting MAXIMUM differences of two columns
PHP - spl_autoload_register Not Working with `namespace` and `use`
File for preset 'slower' not found in ffmpeg with linux
How to parse a file with a multiple JSONs in PHP(Laravel)?
CodeIgniter &get_instance() not working in php5.6 version?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!