PHP Slim 4 - Authorize api request using firebase JWT token

Question

I'm trying to verify the idToken provided from firebase javascript sdk with the Tuupola Jwt middleware for slim 4 but I always get a 401 error. This is the client code I'm using to get the token:

const provider = new firebase.auth.GoogleAuthProvider();
provider.addScope("profile");
provider.addScope("email");
firebase.auth().signInWithPopup(provider).then( (result) => {
 console.log(result);   
});

The auth flow will work correctly as expected and I'm able to pass the token into the Authorization header but I'm not able to verify it on the server where I'm using slim 4 for a Restful api.

I've read different question about this problem but none of this have helped me to solve this problem.

here is my middleware implementation:

use Tuupola\Middleware\CorsMiddleware;
use Tuupola\Middleware\JwtAuthentication;
use Slim\App as App;

return function(App $app) {
    $app->add(new Tuupola\Middleware\CorsMiddleware([
        "origin" => ["chrome-extension://oegddbimpfdpbojkmfibkebnagidflfc"],
        "methods" => ["GET", "POST", "OPTIONS"],
        "headers.allow" => ["Authorization"],
        "headers.expose" => [],
        "credentials" => true,
        "cache" => 86400
    ]));

//    $rawPublicKeys = file_get_contents('https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com');
//    $keys = json_decode($rawPublicKeys, true);
    $keys = file_get_contents('https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com');

    $app->add(new Tuupola\Middleware\JwtAuthentication([
        "algorithm" => ["RS256"],
        "header" => "X-Authorization",
        "regexp" => "/Bearer\s+(.*)$/i",
        "secret" => $keys,
        "secure" => false,
        "after" => function ($response, $arguments) {
            return $response->withHeader("X-Brawndo", "plants crave"); //this is only for test
        }
    ]));

};

and this is what I have inside my index.php file where slim app is running

use Psr\Http\Message\ResponseInterface as Response;
use Psr\Http\Message\ServerRequestInterface as Request;
use Psr\Http\Server\RequestHandlerInterface;
use Slim\Routing\RouteCollectorProxy;
use Slim\Routing\RouteContext;
use Slim\Factory\AppFactory;
use Tuupola\Middleware\CorsMiddleware;

require_once __DIR__.'/vendor/autoload.php';

$app = AppFactory::create();

$authMiddleware = require_once __DIR__.'/middleware.php';
$authMiddleware($app);

$app->get('/keygen', function(Request $request, Response $response, $args){  
    $password = bin2hex(random_bytes(3));
    $response->getBody()->write( json_encode(['generated_password' => $password]) );
    return $response->withHeader('Content-Type','application/json');
});

$app->add(new Tuupola\Middleware\CorsMiddleware([
    "origin" => ["*"],
    "methods" => ["GET", "POST", "OPTIONS"],
    "headers.allow" => ["Authorization"],
    "headers.expose" => [],
    "credentials" => true,
    "cache" => 86400
]));

$app->run();

What I want to achive is to authenticate each request made from the client to the api using the firebase idToken provided after client login. When a request is made, the middleware will verify the token and then authorize the user or not to use the endpoint.

Is possible to fix this?

Answer 1

After a lot of debug I've found and solved the problem. In my client code I was using the wrong idToken as Authorization: Bearer and also the header sended to the server was mismatching the middelware configuration, in my axios requests I was sending the X-Authorization header instead of Authorization. To get the correct token to use I've called firebase.auth().onAuthStateChanged( (user) =>{...}) method and when the user object become available I've called the getIdToken() method. This operation return the correct JWT token to use with the middleware to authenticate the requests.