Firebase：如何从服务器上的用户名和密码生成访问令牌？

Question

I have a Firebase app and I'm integrating Zapier. They require users to authenticate with my app through their form.

The way it works is that Zapier will request email and password from a user and send it to my endpoint to get an access token and to use it with any further requests.

I can't quite figure out how to generate an access token from username and password on server (node js) since all the authentication methods live in the client SDK.

So far I was hoping to authenticate user with the provided email/password, generate a custom token from their uid and send it back to Zapier. But I can't do that since there is no signInWithEmailAndPassword or similar methods in the server SDK.

I know I can fetch user by email, but how can I check the password than, since the corresponding methods are again only available in the client SDK?

So far I've got the following code:

const rp = require('request-promise');

app.post('/api/integrations/zapier/auth', (req, res) => {
        let data = req.body
        admin.auth().signInWithEmailAndPassword(data.email, data.password) // <- this method doesn't exist in the server sdk
            .then(response => admin.auth().createCustomToken(response.user.id))
            .then(customToken => rp({
                url: `https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyCustomToken?key=${config.apiKey}`,
                method: 'POST',
                body: {
                    token: customToken,
                    returnSecureToken: true
                },
                json: true,
            }))
            .then(idToken => {
                res.send({
                    accessToken: idToken,
                    filed: data.email
                });
            }).catch(error => res.status(500).send(error));
    })

Answer 1

Using the Firebase Admin SDK to create custom tokens based on sign-in credentials is confusing, since the documentation states:

Create Custom Token

Firebase gives you complete control over authentication by allowing you to authenticate users or devices using secure JSON Web Tokens (JWTs). You generate these tokens on your server, pass them back to a client device, and then use them to authenticate via the signInWithCustomToken() method.

To achieve this, you must create a server endpoint that accepts sign-in credentials—such as a username and password —and, if the credentials are valid, returns a custom JWT. The custom JWT returned from your server can then be used by a client device to authenticate with Firebase ( iOS , Android , web ).

There is an example of creating a custom token based on the user's Firebase uid :

admin.auth().createCustomToken(uid)

But the documentation does not show how to verify if user credentials are valid in the first place.

Since the Firebase Admin SDK does not provide methods for verifying credentials, a work around is to use a combination of the Firebase Admin SDK as well as the Firebase Auth REST API.

1. Use the Firebase Auth REST API to Sign in with email / password
2. Upon successful authentication, use the Firebase Admin SDK method getUserByEmail
3. The Firebase Admin SDK UserRecord will contain the uid , which can then be passed to admin.auth().createCustomToken(uid)

Answer 2

From what i see, you can use Firebase Flutter package to login with Username and Password.

  var credentials = await auth.signInWithEmailAndPassword(email: email, password: password);
  String token = await credentials.user.getIdToken();

Then you can pass this token in the HTTP header as Bearer token In the server side, you can just use verifyToken from Admin SDK

FirebaseAuth.getInstance().verifyIdToken(token)