I have a NextJS web app and I'm adding firebase authentication to it.

I want to make secure GET calls to my server, and was wondering what is the token I should use with the server and where to set it?

Should I use the firebase user's AccessToken? And should I send it in the URL query parameter (or header)? Aren't both alternatives exposed to whomever sees the URL and they can impersonate the user?

Thank you in advance for the help.

CodePudding user response：

Are you talking about your API keys? if you are they are supposed to be visible, you need to write Security Rules which are pretty simple to use.

Read more here: Learn about using and managing API keys for Firebase

CodePudding user response：

If you want your own server-side code to use the caller's Firebase Authentication credentials to ensure they are authorized for the operation they are trying to perform, you should:

1. Pass the users ID token from the client to your server over a secure connection. This is typically done in the Authorization header of the HTTP request.

2. On the server decode the ID token, and then check your own authorization logic to see if the call is allowed.

The entire process is quite well described in the Firebase documentation on verifying ID tokens, so I recommend checking that out too.