How to safely use Firebase Auth on a PHP web app

Question

I am building a news website on with PHP and MySQL. For user management, I'm considering using Firebase Auth.

The login, password, email confirmation, etc, will be managed by Firebase. This part was easily achieved using the docs in Javascript.

But at one point the web app needs to know the email of user, for example, to manage the content and allow access to restricted areas, connecting to the MySQL DB using PHP.

Firebase Auth uses JavaScript to find out the email for example:

      firebase.auth().onAuthStateChanged(function(user) {

                var user = firebase.auth().currentUser;

                if(user != null){

                  var email_id = user.email;

                }
        }

How can I safely get the user email logged in on the session and send to the server side using PHP? How can I safely be sure the session expired and let the app know about that using PHP? Is this approach recommended (Firebase Auth + PHP website)?

Thanks!

Answer 1

To securely know what user is accessing your web site, you:

1. retrieve the ID token of the user on the client
2. securely send the resulting JWT to your back-end
3. decode and verify the ID token on your back-end

Ideally you'd use the Firebase Admin SDK for that last step. But unfortunately there is no official Firebase Admin SDK for PHP (yet). There is a third party library that seems to support validating ID tokens in PHP, but I never tried that myself. Of course, JWT is a well-defined standard, so there are support libraries for many languages on https://jwt.io/.