Unable to verifyIdToken with firebase.auth()

Question

Using OAuth with Github on my client, I send a fetch request with the resulting token to my server. I'm getting the token as expected, but am unable to execute firebase.auth().verifyIdToken to get the token. My SDK is authenticated with a certificate credential following the the admin SDK setup.

My clientAuth middleware:

const firebase = require('firebase-admin');

const db = require('../db');

module.exports = async (req, res, next) => {
  try {
    const tokenId = req.get('Authorization').split('Bearer ')[1];
    console.log(tokenId) //yay, token
    const validToken = await firebase.auth().verifyIdToken(tokenId);
    console.log(validToken.uid) //error

    return (validToken && validTeam) ? next() : res.status(401).end();   
  } catch (e) {
    res.status(401).end();
  }
};

The error I get is 'Decoding Firebase ID token failed. Make sure you passed the entire string JWT which represents an ID token.' How do I go about verifying/ decoding this token?

Since JWT's are transparent, can you make sure that what you are getting from console.log(tokenId) is a valid JWT? You can use a tool like jwt.io to help with that. If it is a valid JWT, does the aud claim match up with the project-id in the certificate credential json file? — Carlos Gomez
Nope, it's not a JWT. So I guess I can't use .verifyIdToken(), but then how in the world do I verify this thing? — OctaviaLo
I suspect the token being passed to the server is the Github token, not the Firebase token. Are you using this method on the frontend to get the token? firebase.google.com/docs/reference/js/firebase.User#getIdToken This guide might be helpful too: firebase.google.com/docs/auth/web/github-auth — Carlos Gomez

alexander ferreras alexander ferreras · Accepted Answer · 2021-01-28T22:30:02

I think this could be good, please copy this function using by google

const admin = require('firebase-admin')
exports.validateFirebaseIdToken = async (req, res, next) => {
    console.log('Check if request is authorized with Firebase ID token');

    if ((!req.headers.authorization || !req.headers.authorization.startsWith('Bearer ')) &&
        !(req.cookies && req.cookies.__session)) {
        console.error('No Firebase ID token was passed as a Bearer token in the Authorization header.',
            'Make sure you authorize your request by providing the following HTTP header:',
            'Authorization: Bearer <Firebase ID Token>',
            'or by passing a "__session" cookie.');
        res.status(403).send('Unauthorized');
        return;
    }

    let idToken;
    if (req.headers.authorization && req.headers.authorization.startsWith('Bearer ')) {
        console.log('Found "Authorization" header');
        // Read the ID Token from the Authorization header.
        idToken = req.headers.authorization.split('Bearer ')[1];
    } else if (req.cookies) {
        console.log('Found "__session" cookie');
        // Read the ID Token from cookie.
        idToken = req.cookies.__session;
    } else {
        // No cookie
        res.status(403).send('Unauthorized');
        return;
    }


    try {
        const decodedIdToken = await admin.auth().verifyIdToken(idToken);
        //console.log('ID Token correctly decoded', decodedIdToken);
        req.user = decodedIdToken;
        next();
        return;
    } catch (error) {
        console.error('Error while verifying Firebase ID token:', error);
        res.status(403).send('Unauthorized');
        return;
    }
};

Unable to verifyIdToken with firebase.auth()

1 Answers