Search code examples
node.jsfirebase-authenticationjwtfirebase-admin

How to properly verify a token in Firebase Authentication

I have a React Native App that successfully logs in a user via Phone OTP using Firebase. Upon logging in the following data gets returned:

{"additionalUserInfo": {"isNewUser": false, "profile": null, "providerId": "phone", "username": null}, "user": {"displayName": null, "email": null, "emailVerified": false, "isAnonymous": false, "metadata": [Object], "phoneNumber": "+123456644", "photoURL": null, "providerData": [Array], "providerId": "firebase", "refreshToken": "AFxQ4_reXvXb6-L_9SWC4SCHVqxl9Rv6zWDdC_BTXySuk-MOfbjrzc4WcrIwF7XqY0zkl-XT7eQtczt1jOg1HUDQ2-Nj6yDJWZRXOMuFKTn5Ddzj9mIz1Lxigmww0Lfo1-vmErUJ_-EX2JLMD7nqep6WhuOxOMtttXUaWy5XHIUgkgzN8fHJwS9sMV3Q0A8leTAkxURbp0zlw4-5SoRBu_a-EPHWsWAY-g", "tenantId": null, "uid": "Tx90EgWkSCf6M23KjsfH5Cf5vIv1"}}

As you can see from the above data the uid is Tx90EgWkSCf6M23KjsfH5Cf5vIv1

In order to test the verifyIdToken function of the Auth of Firebase I then use the above uid and pass it in the method:

admin
    .auth()
    .verifyIdToken('Tx90EgWkSCf6M23KjsfH5Cf5vIv1')
    .then((decodedToken) => {
        console.log('decodedToken', decodedToken)
    })
    .catch((error) => {
        //Handle error
        console.log('error', error)
    })

I then get the following error:

errorInfo: {
    code: 'auth/argument-error',
    message: 'Decoding Firebase ID token failed. Make sure you passed the entire string JWT which represents an ID token. See https://firebase.google.com/docs/auth/admin/verify-id-tokens for details on how to retrieve an ID token.'
  },
  codePrefix: 'auth'
}

How to fix this?

Solution

  • The verifyIdToken() takes user's ID Token as a parameter and not the UID. You get the user's UID in the DecodedIdToken object. To get user's ID Token in your React Native app, try this:

    const token = await firebase.auth().currentUser.getIdToken();

    Then pass this token to your backend and verify it. You must not pass the UID check user identity. Always verify the ID Tokens.

    From the documentation,

    If your Firebase client app communicates with a custom backend server, you might need to identify the currently signed-in user on that server. To do so securely, after a successful sign-in, send the user's ID token to your server using HTTPS. Then, on the server, verify the integrity and authenticity of the ID token and retrieve the uid from it. You can use the uid transmitted in this way to securely identify the currently signed-in user on your server.

    You can read more about Token based authentication here.