如何验证firebase令牌服务器端?

I have a firebase account where I manually create the users who will be abled to use my site (sign up is not public, but it is not relevant to this inquiry)

In the login page, the authentication is through javascript.
Once the user enters their mail and password the corresponding function is executed, I get the token and I send it to my PHP server via url redirection. Something like this:

firebase.auth().signInWithEmailAndPassword(inputemail, inputpassw)
    .then( function(user) {

        myEmail = user.email;
        myUid = user.uid;

        user.getIdToken()
            .then( function(token){
                myToken = token;

                location.href = "http://www.example.com/verify?email="+myEmail+"&token="+myToken+"&uid="+myUid;

            });

    }, function (error) {
       ...
    }); 

Then, on my server I will have the mail, the uid, and the token.
So, my question is:
How do I verify that the token is valid? It is impossible?
I know the token is encrypted, but the key is public... so anyone could make a valid token!
I mean, for instance, I have an expired token, I can decode it, change the expiration time, encode it again and gain access to my server without knowing any password

Is there something I'm missing?

Apparently I can not verify the token via REST.
What alternative do I have?

duanhan8757
duanhan8757 toolong
3 年多之前 回复
dsfovbm931034814
dsfovbm931034814 toolong
3 年多之前 回复
ds0802
ds0802 toolong
3 年多之前 回复
dswm97353
dswm97353 你读完整个问题了吗?
3 年多之前 回复
dsd57259
dsd57259 无需调用Firebase服务器即可验证ID令牌。所有信息都在令牌本身中,并且可以使用服务凭证进行解码。请参阅stackoverflow.com/questions/42084299/...和stackoverflow.com/questions/37634305/...和packagist.org/packages/firebase/php-jwt
3 年多之前 回复

1个回答



来自Firebase 文档:</ p>


Firebase Admin SDK具有用于验证和解码ID令牌的内置方法。 如果提供的ID令牌具有正确的格式,未过期且已正确签名,则该方法将返回已解码的ID令牌。</ strong>您可以从已解码的令牌中获取用户或设备的uid。< / p>
</ blockquote>

因此,您无需担心有人试图生成假令牌。</ p>

要在PHP中验证令牌, 如文档 Firebase Admin SDK中所述 for PHP </ p>

验证令牌的最小代码:</ p>

 使用Kreait \ Firebase; 
use Firebase \ Auth \ Token \ Exception \ InvalidToken;

//创建Firebase工厂对象
// $ firebase =(new Firebase \ Factory()) - &gt; create();

//从客户端获取令牌
// $ idTokenString ='eyJhbGciOiJSUzI1 ...';

try {
$ verifiedIdToken = $ firebase-&gt; getAuth() - &gt; verifyIdToken($ idTokenString);
} catch(InvalidToken $ e){\ n echo $ e-&gt; getMessage();
}

$ uid = $ verifiedIdToken-&gt; getClaim('sub');
$ user = $ firebase-&gt; getAuth() - &gt; getUser($ uid);
echo $ user;

</ code> </ pre>
</ div>

展开原文

原文

From the Firebase Documentation:

The Firebase Admin SDK has a built-in method for verifying and decoding ID tokens. If the provided ID token has the correct format, is not expired, and is properly signed, the method returns the decoded ID token. You can grab the uid of the user or device from the decoded token.

So, you do not need to worry about someone trying to generate fake tokens.

To verify the token in PHP, as described in the docs Firebase Admin SDK for PHP

Minimal code for verifying the token:

use Kreait\Firebase;
use Firebase\Auth\Token\Exception\InvalidToken;

//create Firebase factory object
//$firebase = (new Firebase\Factory())->create();

//get a token from client 
//$idTokenString = 'eyJhbGciOiJSUzI1...';

try {
    $verifiedIdToken = $firebase->getAuth()->verifyIdToken($idTokenString);
} catch (InvalidToken $e) {
    echo $e->getMessage();
}

$uid = $verifiedIdToken->getClaim('sub');
$user = $firebase->getAuth()->getUser($uid);
echo $user; 

dpj997991
dpj997991 too long
接近 2 年之前 回复
dongta1824
dongta1824 too long
接近 2 年之前 回复
douwei1930
douwei1930 同样,您可以使用公钥解码令牌,但不能使用公钥对其进行编码。 如果使用公钥对其进行编码,则服务器上的令牌验证将失败。 我认为它适用于你的情况,因为你有公钥和私钥。 但世界其他地方没有你的私钥。 如果你仍然认为你可以这样做,那么写一封电子邮件给谷歌,你会超越他们!
3 年多之前 回复
duancaiyi7567
duancaiyi7567 我重复我说的话:“如果我发现了一个过期的令牌,我可以对其进行解码,更改过期时间,再次对其进行编码,并在不知道任何密码的情况下访问我的服务器。” 事实上,这就是我所做的并且有效。 所以我认为现在唯一的解决方案就是生成自己的令牌
3 年多之前 回复
Csdn user default icon
上传中...
上传图片
插入图片
抄袭、复制答案,以达到刷声望分或其他目的的行为,在CSDN问答是严格禁止的,一经发现立刻封号。是时候展现真正的技术了!
立即提问
相关内容推荐