I have a firebase account where I manually create the users who will be abled to use my site (sign up is not public, but it is not relevant to this inquiry)
In the login page, the authentication is through javascript.
Once the user enters their mail and password the corresponding function is executed, I get the token and I send it to my PHP server via url redirection. Something like this:
firebase.auth().signInWithEmailAndPassword(inputemail, inputpassw)
.then( function(user) {
myEmail = user.email;
myUid = user.uid;
user.getIdToken()
.then( function(token){
myToken = token;
location.href = "http://www.example.com/verify?email="+myEmail+"&token="+myToken+"&uid="+myUid;
});
}, function (error) {
...
});
Then, on my server I will have the mail, the uid, and the token.
So, my question is:
How do I verify that the token is valid? It is impossible?
I know the token is encrypted, but the key is public... so anyone could make a valid token!
I mean, for instance, I have an expired token, I can decode it, change the expiration time, encode it again and gain access to my server without knowing any password
Is there something I'm missing?
Apparently I can not verify the token via REST.
What alternative do I have?