Verify the Firebase authentication token of a user's request on an Google App Engine NodeJS server?

Question

So I've found this piece of doc on how to integrate Firebase authentication with Google App Engine, but it was written for Python, and it seems old, as I've found some inconsistencies in the code. I didn't find a corresponding tutorial for NodeJS.

From I understood, the sequence of the process should be the following:

STEP 1

• User logs in through client code (firebase JS SDK) and I get its JWT userIdToken by using user.getIdToken()

STEP 2

• Fetch my GAE server URL with the following header:

headers: {
  'Authorization': 'Bearer ' + userIdToken
}

Then the tutorial indicates that I should use a Google Auth library, in order to validate the JWT userIdToken.

Before the client can access server data, your server must verify the token is signed by Firebase. You can verify this token using the Google Authentication Library for Python. Use the authentication library's verify_firebase_token function to verify the bearer token and extract the claims:

Therefore, for a NodeJS server, I should use the following library, correct?

google-auth-library

Or instead, can I use firebase-admin to validate the userIdToken as indicated in the following doc?

https://firebase.google.com/docs/auth/admin/verify-id-tokens

I guess that the firebase-admin seems to be the way to go on this case. But if I choose that path, should I still pass the token using the 'Authorization': 'Bearer ' header? Or is there a better way of handling this?

Answer 1

You can pass the ID token to your backend any way you want. It's customary and standard to use the Authorization header as you see in the documentation, but not required. The code examples should make it clear that what you really just need is to pass that token to be verified with the Firebase Admin SDK.