Phone Authentication Validation from Server Side Firebase + PHP

Question

I'm Creating a custom User Management system, involves all the App data to be on application server, but the phone should be authenticated by firebase. When New User Register on System, Firebase Phone Authentication takes place. On successful authentication from firebase, Registration Data goes to Server via API. Now the Problem is, how do I check server side that the phone number is authenticated by firebase or not? If I allow registration without server-side firebase auth validation, API Request can be spoofed by someone. I'm currently using kreait/firebase-php ^4.18 Firebase SDK for PHP. The Flow I'm Using Right Now is Demonstrated below and the flow I want to implement is also can be given as,

Update 25/09/2019

The library Kreait\Firebase helped to achieve to implement flow as given in answer by @jeromegamez in the accepted answer, However, the Kreait\Firebase does not support the idToken validation for ios device. IOS device has google idToken rather having firebase IdToken and hence Kreait\Firebase failed to validate it. Brief issue is given in Firebase IOS idToken invalid kid Exception in the backend while verifyIdToken in Gmail Auth post.

Answer 1

The Firebase Rest API has the method for that.

On the device, after the user is authenticated and you have the User object, to get the token for verification, you can call

• with Android - getIdToken()
• with iOS
  • Swift - getIDToken()
  • Objective-C - -getIDTokenWithCompletion:
• with JS (web or other platforms) - getIdToken()
• with React Native - getIdToken()
• and bunch of other platforms in the docs

Then, with that temporary id token, you can send a POST request to https://identitytoolkit.googleapis.com/v1/accounts:lookup?key=[API_KEY] (API_KEY being the "Web API Key" of the Firebase project) to get the user info, which will include the phoneNumber of the owner of the token.

Thus you can verify server-side that the owner of the token has that specific phone number.

Answer 2

When a user successfully authenticates with their phone number for the first time, the phone number is stored in the user's record in the Firebase Auth User list and can be considered verified.

Once a phone number is associated with a user in your Auth database, you can be sure that

• the phone number is valid
• the phone number has successfully been used to authenticate the user at the point in time the number has been associated with said user
• the phone number cannot be associated to another user

You should not assume that this phone number is now "verified". As stated in the official Firebase documentation pages:

Security concerns

Authentication using only a phone number, while convenient, is less secure than the other available methods, because possession of a phone number can be easily transferred between users. Also, on devices with multiple user profiles, any user that can receive SMS messages can sign in to an account using the device's phone number.

If you use phone number based sign-in in your app, you should offer it alongside more secure sign-in methods, and inform users of the security tradeoffs of using phone number sign-in.

Source: https://firebase.google.com/docs/auth/web/phone-auth#security-concerns

PS: The only other way to add a phone number to a user is through an Admin SDK, and here it's your responsibility to ensure that the phone number belongs to a user.

PSS: As far as I know (and checked), the Firebase REST APIs don't expose a "verified phone number" information.