My firebase users are sending requests to my API server. I am verifying them using security rules in Google Cloud Endpoints. I extract their userID without using admin SDK on Google App Engine.
Normally, Google suggests verifying incoming id Tokens for a HTTPS request via this code in their example Firebase Cloud Functions code:
admin.auth().verifyIdToken(idToken).then((decodedIdToken) => {
console.log('ID Token correctly decoded', decodedIdToken);
req.user = decodedIdToken;
return next();
}).catch((error) => {
console.error('Error while verifying Firebase ID token:', error);
res.status(403).send('Unauthorized');
});
However, in the example Google App Engine code, Google decodes the token without the admin SDK:
let authUser = { id: 'anonymous' };
const encodedInfo = req.get('X-Endpoint-API-UserInfo');
if (encodedInfo) {
authUser = JSON.parse(Buffer.from(encodedInfo, 'base64'));
}
I am using Google Cloud Endpoints to secure my API hosted on Google App Engine. I have set security on cloud endpoints to allow only firebase users to access the routes, however, I only want users to access their own data so I need to decode their id token to retrieve their userID. I was wondering if Cloud Endpoints handles the authentication here. Do I need to have admin SDK verify the token? or the simple decoding in Google's example is secure enough because cloud endpoints already takes care of verifying the idToken?
The Admin SDK is doing what the Endpoints proxy is doing in verifying the token. The proxy is just passing along the verified token. As long as the Endpoints proxy remains in front of your app, you can just decode the X-Endpoint-API-UserInfo token.