Firebase Auth 验证此用户

Question

I am currently verifying my user using the Auth JS SDK and Admin Auth SDK combined. I am doing in the following approach: In the front-end:

firebase.auth().onAuthStateChanged(function (user) {
  if (user) {
    var current_user = firebase.auth().currentUser;
    current_user.getIdToken(true).then(function (idToken) {
      $.getJSON('/firebase_token', { token: idToken }, function (user) {

In the back-end:

router.get("/firebase_token", (req, res, next) => {
  admin.auth().verifyIdToken(req.query.token).then(function(decodedToken) {
    res.send(decodedToken);    
  })
})

I am wondering if this is a secured approach, because the user can just send whatever token they want from the front-end. For example, an invalid user can send a valid token they copied from a valid account to pass the token verification.

I am wondering if in the admin SDK. There is a way to detect the currently signed in user. In other words, detect this user who is using this instance of the app with the admin SDK?

Answer 1

I am wondering if this is a secured approach, because the user can just send whatever token they want from the front-end. For example, an invalid user can send a valid token they copied from a valid account to pass the token verification.

Yes, that's possible. But then again, if the user got access to a token, that means they probably are the user represented by that token, or they know the credentials of that account. That's not a problem at all - this is the way authentication systems work.

I am wondering if in the admin SDK. There is a way to detect the currently signed in user. In other words, detect this user who is using this instance of the app with the admin SDK?

No, the Admin SDK can't possibly know what all is going on for all of the users using your application. The ID token is exactly the piece of information it needs to verify users. A valid token proves that the user is who they say they are.