Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to pass Firebase Auth Token from client to server?

The website that I'm working on uses Firebase authentication and different users that login have different permissions as to which pages they can visit.

The way signing in is setup is similar to this post:

  1. User Logins in with two parameters - "id" and "email"
  2. Server uses these to create a custom "uid", then uses the Firebase Admin SDK to create a custom token that is sent back to the client.
  3. The client logs in with the Javascript Firebase SDK - firebase.auth().signInWithCustomToken()
  4. Now that the user is logged in, they can click different pages - i.e. '/foo', '/bar'

The issue I'm running into is that when they visit new pages, I'm trying to pass the token from the client back to the server (almost identical to how its done in this Firebase Doc ), verify the token & check if it has permission to view the webpage.

I'm trying to figure out the best (& most secure) way to do this. I've considered the following option:

  • Construct a URL with the token, but I've heard this isn't good practice because the token is getting exposed and session hijacking becomes a lot easier.

I've been trying to pass the token in the request header, but from my understanding you can't add headers when the user clicks on a link to a different page (or if its redirected in javascript). The same issue applies to using POST.

What can I do to securely pass this information to the server and check permissions when a user clicks on a link to a different page?

like image 332
wolverine239 Avatar asked Apr 03 '17 22:04

wolverine239


1 Answers

You can get the accessToken (idToken) on client side by:

var accessToken = null;

firebase.auth().currentUser
    .getIdToken()
    .then(function (token) {
        accessToken = token;
    });

and pass it in your request headers:

request.headers['Authorization'] = 'Bearer ' + accessToken;

and on your server side get the token with your prefered method and authenticate the request with Firebase Admin SDK, like (Node.js):

firebaseAdmin.auth()
    .verifyIdToken(accessToken)
    .then(decodedIdToken => {
        return firebaseAdmin.auth().getUser(decodedIdToken.uid);
    })
    .then(user => {
        // Do whatever you want with the user.
    });
like image 155
mehyaa Avatar answered Oct 25 '22 12:10

mehyaa