Correct way to validate mobile number with Firebase
I know I can use phone validation Firebase's
on Android
and iOS
, but the problem is that the client validation information can easily be spoofed on the client side because I only use the SSL certificate on the server side, so only the client knows the server is trusted.
So, I decided to send the mobile number on the server side and check it there: send a verification code and request this verification code from the user. But I don't see any C ++ server Firebase SDK
, only the client side C ++ SDK is available. So, I have two options:
- Understand how client-side validation can be trusted server-side (note that I may have untrusted clients)? So this means that I could use the auth method for the main Firebase number.
- Use server side confirmation.
Please help me with this misunderstanding in Firebase.
source to share
The client side absolutely works here. The stream looks like this:
- You request a sign using a phone number
- Firehase Phone Auth server sends a code to this number
- The user injects your code into your app, which submits it to the Firebase Auth server.
- Firebase Auth Server returns Firebase Auth token to you
This works because an attacker can only know the code if you have a phone. It does not guarantee that the device matches the phone number (the user can have two phones or log in with the phone on a laptop), but it does check if the user has access to that number.
For checking that on your own backend you are getting a Firebase ID token. This is just a small portion of the base64 JSON encoded code, but importantly, it is cryptographically signed by Firebase. This means that on your server you can verify that it was actually created by Firebase, for the user and the phone number that it contains. The user was unable to create one of these tokens without access to the main account.
Refer to the docs on verification of ID tokens for more!
So your next steps:
Get Firebase ID token
You can do this every time you log in.
FirebaseUser mUser = FirebaseAuth.getInstance().getCurrentUser();
mUser.getToken(true)
.addOnCompleteListener(new OnCompleteListener<GetTokenResult>() {
public void onComplete(@NonNull Task<GetTokenResult> task) {
if (task.isSuccessful()) {
String idToken = task.getResult().getToken();
// Send token to your backend via HTTPS
// ...
} else {
// Handle error -> task.getException();
}
}
});
Check the content of the ID token on the server.
Admin SDKs are configured out of the box to validate the correct certificate, audience, expiration date, and other important properties of the ID token.
admin.auth().verifyIdToken(idToken)
.then(function(decodedToken) {
var uid = decodedToken.uid;
// ...
}).catch(function(error) {
// Handle error
});
decodedToken
will also contain properties for the phone number!
source to share