Reputation: 3149
Verify ID Tokens: What is the workflow to use this Firebase checkment?
Some months ago, Doug Stevenson told me to use the Firebase checkment dedicated to the "ID Tokens verification": https://firebase.google.com/docs/auth/admin/verify-id-tokens
I have read the doc. What I have understood is: I can't trust the Android app when it announces to the server (Firebase Firestore Rules, Firebase Firestorage Rules, Cloud Functions) the ID of the user, because it can take an existing ID other than its actual own ID and announce it. So I have to use the token system proposed in the doc.
What I have understood too is: I must get the token just after the user successfully has logged in. Then I send it to the server and it "checks it". But then... what? Okay, the server checks it. But the result of this check, what should the server do with it?
Should I do all of this (send the token to the server, check it server-side, do something server-side with the result of this check) before each call made by the Android app to the server?
Examples:
if my Android user wants to edit its account, he will fill in the form (firstname, age, bank code, picture avatar). This data will be sent to Firestore and Firestorage, so their Rules will be executed ; the UID of the user must be passed, but in fact it should be the token, no? (since the Android app can lie on the UID by sending a fake UID if it's a hacker, cf. the beginning of this SO Question).
if my Android app sends data to Cloud Functions, that treats it and itself saves it into Firestore and Firestorage, should I use the token system too?
Upvotes: 0
Views: 135
Answers (1)
Reputation: 317412
When writing directly to Firestore or Cloud Storage, the user can't fake sending a UID other than their own. As long as your security rules check it correctly, you won't have a problem. There are examples of how this works in the documentation. There is no need to verify any ID tokens when using security rules to control access - this is all handled automatically.
You use the Firebase Admin SDK to verify a token in the where your client app is directly invoking an HTTP type function, and that function needs to make sure that only valid users are allow to execute the code. The client sends the user's token along with the request, as shown in the documentation you linked, and the code on the backend should verify the token before doing any work on behalf of the user. There is really no need to try to pass along an ID token in any other type of Cloud Function.
Upvotes: 1
Related Questions
- Verifying ID tokens with Firebase Authentication
- Firebase Admin SDK : Verifying ID tokens from the REST API
- How to verify Firebase ID token on App Engine in Go
- How can I verify an ID Token through Firebase Authentication REST API?
- How to verify firebase token in google endpoints?
- How to verify Firebase id token
- Get id token on Android app and verify it on backend server (How to use id token?)
- Firebase Verifying ID Tokens
- Verify Firebase Token at Google App Engine
- firebase | Verify ID tokens using a third-party JWT library