Whats the difference between token validation and app check for security wise? I think both are secure correct? Should I use app check or should I use verify id token with Bearer? Or maybe use both of them like this:
app.post("/signup", [appCheckVerification, validateFirebaseIdToken], (request, response) => {
CodePudding user response:
The two are complementary, not mutually exclusive:
With a token from Firebase App Check you can check whether call comes from your own application on a genuine device. So it allows you to verify the app.
With an ID token from Firebase Authentication you can check what user in the application made the call, and determine if that user is authorized to do so.
Ideally you'll want to use App Check to quickly rule out many bad actors, and then use Authentication to ensure each valid user can only access the data they're authorized to.