I was wondering if sending the firebase accessToken, which in my case comes from the currentUser.getIdToken
method, to the server and use it to identify the user is a secure approach.
As I mentioned above I am using the currentUser.getIdToken
method to get the users accessToken. The accessToken is then being sent to the server which uses firebase's admin SDK to identify the user from his accessToken. More specific I am using the verifyIdToken
method from as I mentioned earlier the firebase admin SDK.
Server:
async function getUserFromAccessToken(accessToken) {
try {
var user = await admin.auth().verifyIdToken(accessToken);
return user;
} catch(e) {
return false;
}
}
Client:
firebase.auth().currentUser.getIdToken(/* forceRefresh */ true)
Let me know if this approach is fine.
CodePudding user response:
Yes. That is indeed the recommended way in the documentation. The token is a JWT signed by Firebase and Firebase Admin SDK verifies if the token received is signed by Firebase or not.