Home > Software design >  Is using the firebase accessToken to identify users server side a secure method?
Is using the firebase accessToken to identify users server side a secure method?

Time:01-12

I was wondering if sending the firebase accessToken, which in my case comes from the currentUser.getIdToken method, to the server and use it to identify the user is a secure approach.

As I mentioned above I am using the currentUser.getIdToken method to get the users accessToken. The accessToken is then being sent to the server which uses firebase's admin SDK to identify the user from his accessToken. More specific I am using the verifyIdToken method from as I mentioned earlier the firebase admin SDK.

Server:

async function getUserFromAccessToken(accessToken) {
    try {
        var user = await admin.auth().verifyIdToken(accessToken);
        return user;
    } catch(e) {
        return false;
    }
}

Client:

firebase.auth().currentUser.getIdToken(/* forceRefresh */ true)

Let me know if this approach is fine.

CodePudding user response:

Yes. That is indeed the recommended way in the documentation. The token is a JWT signed by Firebase and Firebase Admin SDK verifies if the token received is signed by Firebase or not.

Page link:https//www.codepudding.com/Softwaredesign/669498.html

Prev:Property does not exist on type 'A' while using user-defined typeguard
Next:Is it a bad practice to set property of object, nested in another object by directly setting it on d
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding