duanqiao1880 2016-12-01 00:59
浏览 82

从JavaScript身份验证发送时,验证PHP中的Firebase令牌

Working on a project that involves a Firebase-utilizing JavaScript web app that reaches out to a PHP file carrying protected functionality.

In order to do this I get a (JWT) token by calling:

firebase.auth().currentUser.getToken(true)

The full function being:

firebase.auth().currentUser.getToken(true).then(function(idToken) {

    var uid = firebase.auth().currentUser.uid;

    var http = new XMLHttpRequest();
    var url = "http://localhost/jwt.php";
    var params = "token=" + idToken + "&uid=" + uid;
    http.open("POST", url, true);

    //Send the proper header information along with the request
    http.setRequestHeader("Content-type", "application/x-www-form-urlencoded");

    http.onreadystatechange = function() {//Call a function when the state changes.
        if(http.readyState == 4 && http.status == 200) {
            alert(http.responseText);
        }
    }
    http.send(params);      

  console.log("TOKEN: " + idToken);
}).catch(function(error) {
  // Handle error
});

On the PHP side I'm validating the token using the lcobucci/jwt library.

use Lcobucci\JWT\Parser;
use Lcobucci\JWT\ValidationData;
use Lcobucci\JWT\Signer\Keychain;
use Lcobucci\JWT\Signer\Rsa\Sha256;

$data = new ValidationData();
$data->setIssuer('https://securetoken.google.com/<Project ID>');

$signer = new Sha256();
$keychain = new Keychain();

if($_POST["token"]) {
    $token = (new Parser())->parse((string) $_POST["token"]);
    $token->getHeaders(); // Retrieves the token header
    $token->getClaims(); // Retrieves the token claims

    $kid = $token->getHeader('kid');
    $iat = $token->getClaim('iat'); 

    //Grab Google keys
    $json_url = file_get_contents('https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com');
    $json = json_decode($json_url, true);

    $public_key = $json[$kid]; // Matches kid from header to private key provided by Google


    try {
        $isTokenValid = $token->verify($signer, $public_key); // Verify token
    } catch (Exception $e) {
        $isTokenValid = false;
    }

    if($isTokenValid) {

        echo "Valid"; // Add protected functionality here

    } else {
        echo "Invalid";
    }
}

My question is: is this secure?

  • 写回答

1条回答

  • duan1396 2017-09-20 08:46
    关注

    Yes, verifying the token signature like this is secure. This will prove that the token content was not modified and signed with a key from Google.

    You can learn more about JWT here: https://jwt.io/introduction/

    Additionally you can validate the token

    $token->validate($data);
    

    This will validate the the issuer (iss claim) and expiration time of the token (exp claim) https://github.com/lcobucci/jwt/blob/3.2/README.md

    评论

报告相同问题?

悬赏问题

  • ¥15 求差集那个函数有问题,有无佬可以解决
  • ¥15 【提问】基于Invest的水源涵养
  • ¥20 微信网友居然可以通过vx号找到我绑的手机号
  • ¥15 寻一个支付宝扫码远程授权登录的软件助手app
  • ¥15 解riccati方程组
  • ¥15 display:none;样式在嵌套结构中的已设置了display样式的元素上不起作用?
  • ¥15 使用rabbitMQ 消息队列作为url源进行多线程爬取时,总有几个url没有处理的问题。
  • ¥15 Ubuntu在安装序列比对软件STAR时出现报错如何解决
  • ¥50 树莓派安卓APK系统签名
  • ¥65 汇编语言除法溢出问题