Unable to decode Firebase JWT - javascript

I am creating a web application and I want to implement Firebase authentication and help users to login using Google, Facebook or Twitter.
Users login using Firebase on my website I receive login information in my Javascript.
As per Firebase documentation, instead of passing UID received in the JS, I send the token id to the backend server so that it can authenticate the source and retrieve the user id.
I use PHP-JWT to check and validate the token returned by Firebase. However, the Key ID in the header is not matching with any of the Key ID defined in https://www.googleapis.com/robot/v1/metadata/x509/securetoken#system.gserviceaccount.com where, as per the verification document, is where I can find the public keys.

Can you print out the 'iss' and 'exp' fields in the Firebase token payload when your server can not validate the token? The issuer ('iss') should start with https://securetoken.google.com/, and the issued time ('iat') should be 1-2 seconds earlier than your system time when your server received the token.

Related

Add idToken generated by identitytoolkit.googleapis.com api to firebase javascript web client

My platform sends out links to phone numbers; when a user opens the link I need to verify that the person opening the link has access to the phone number that received the link. I send the access code from my backend to the phone number that received the link. The client app then receives the access code, submits it to the back end, and receives an idToken and refreshToken in exchange. But I need help figuring out how to get this idToken generated by the identitytoolkit.googleapis.com API to the user on firebase web SDK so that the SDK can continue to manage token persistence for me.
I have tried adding the token using signInWithCustomToken, but it results in an "INVALID_CUSTOM_TOKEN" error.

Serverless Discord OAuth Method

I want to create a serveless login system with Discord OAuth. There are two ways I can think of doing this which are written below.
My questions are as follows: Am I barking up the wrong tree with these two potential methods? If either of the methods are suitable which would you go with? Is there a much better way of doing this?
User signs in with discord and an access token is provided
The access token is stored in a database along with the username and user ID
Session Cookie
The user is provided with a session cookie containing a user ID and session token. Each time the user needs to authenticate the session token is checked against the session token stored in the database - this requires calls to the database each time a user needs to authenticate which could potentially make things very slow.
JWT
The user is provided with a JSON web token every time a user needs to authenticate a serverless function is used to check that this token is valid and has not been tampered with - this comes with it's own security problems such as difficulty to implement token invalidation

How to set up firebase FCM with Admin SDK for database triggers

I am trying to set up FCM notifications for database triggers using the Firebase Admin SDK and Node js. Based on what I read in the docs, I understand you need the device notification key to send a notification. However, how should the server get the device notification key? Is this something that should be passed from the client to the server? Or is this something that I can look up from my server with an Auth id?
Since the FCM should be fired when the Firebase Database receives an update, I'm not sure how to request then the device notification key responsible for that update.
Thanks
You will need to store all the tokens in a database, where your sender code can then read them from.
If you look at the sample code in the Firebase documentation on setting up your app for receiving message, you'll see code like this:
public void onNewToken(String token) {
Log.d(TAG, "Refreshed token: " + token);
// If you want to send messages to this application instance or
// manage this apps subscriptions on the server side, send the
// FCM registration token to your app server.
sendRegistrationToServer(token);
}
The call to sendRegistrationToServer is an example of what you might do: it is a function that sends the token to your server, which then presumably stores it in the database.
If you then look at this example of sending messages to users when data is written to a database, you'll see that it reads the tokens from the database, uses them to send messages to all relevant tokens, and then cleans up tokens that have expired.

What is the correct process for creating a token based API?

I have an SPA frontend using React and a backend in Ruby on Rails.
I am using react-google-login to get a JWT (JSON-Web-Token) for the user on the frontend. The user clicks the provided login button and, if successful, it returns a JWT. Would the process for interaction with the API go as follows?
Step five is where I need some technical guidance or advice.
[Frontend] Get JWT from Google
[Frontend] Store JWT in cookie
[Frontend] Send JWT with each request to the API
[API] Decode JWT to get user information
[API] How would I verify that this user information is correct? Should I have a data store of users and verify their info against that? Just check if the name in the token matches the name of a user?
[API] If JWT is valid, send data from request

Parse "Bring our own login" installationId mismatch for created Session

I have a self-hosted parse server (https://github.com/ParsePlatform/parse-server), I have some cloud code on my parse server to register the user because i'm using a custom authentification method. (has described here: http://blog.parse.com/announcements/bring-your-own-login/).
The flow works that way:
Start custom login process on client (ios)
Call a custom "registerUser" function in my cloud code to finish auth process
In the cloud code :
Validate my user (part of my custom authentification)
Sign in the user to parse (if it does not exists)
Login the user to parse
Send the login session token back to the client
Back in my client, "become" the user with the session token
My problem
I have a valid Session object for my user, which match the session token returned to the client. BUT, the installationID of the session does not match the Installation object of my user.
This is a problem because when I try to send a push notification to a specific user, I find the session, but can't find any installation corresponding to that session.
The installationID from the session comes from the cloud code, or parse server itself instead of coming from the user device.
Hypothesis
Either I am missing a step in the cloud code to associate the session (and thus user session token) to the user installation.
Or maybe there is a bug with the installationID in the session which does not correspond to any Installation in my database. I think this installationID comes from the parse server because it changes everytime I restart the server and become the session is created from the cloud code (login is done from the cloud code).
Can someone understand the problem and have a fix or a workaround for that ?
Thanks

Categories