Home > Software design >  Use firebase tokens to query an API in a client
Use firebase tokens to query an API in a client

Time:12-10

I used firebase authentication to secure my api. Indeed, in my client, I generate a personalized token with firebase during connection and when I make a request to my API, I check that this token is valid.

But at my client's, is it better that I get the token by querying firebase each time or is it better that I store this token locally?

For the moment, I store it locally but I think that it can be problematic if the token changes or if an attacker modifies his token because I verify thanks to firebase that the user is connected, if the local token changes, firebase will always say that the user is logged in but in my api the token will not be valid.

CodePudding user response:

The ID token you get from Firebase Authentication is an exp property/claim that shows you until when it's valid. Firebase's own SDKs refresh the token about 5 minutes before it expires, so your code should probably do the same. In fact, if you listen for when the ID token changes (Android docs, but also available for other SDKs), you don't have to force a refresh yourself and can just piggyback on the work the SDK already does for you.

CodePudding user response:

Sorry I made a mistake. In fact, I store the users in the database that my api uses. When the user connects with Google, the token is created in the client so I send it to my API (of course I don't store it), I just check if the token is valid and if the id which is contained in the token corresponds well to the id of one of the users which is stored in my database. For the classic connection (login password), the data is sent directly to my API and I create a custom token with the user's id in my backend and I send the token back to the client which generates a custom token to from the token. Note that in my database the google user id are the uid generated by firebase authentication and that the classic user id (login password) are generated in my api.

So I guess I shouldn't generate the token in my backend and only return the id to generate the token in the client? I regenerate the token in my client so that the user can access the chat

  • Related