Phone Authentication Validation from Server Side Firebase + PHP

php firebase server firebase-authentication firebase-security

11,715

Solution 1

When a user successfully authenticates with their phone number for the first time, the phone number is stored in the user's record in the Firebase Auth User list and can be considered verified.

Once a phone number is associated with a user in your Auth database, you can be sure that

the phone number is valid
the phone number has successfully been used to authenticate the user at the point in time the number has been associated with said user
the phone number cannot be associated to another user

You should not assume that this phone number is now "verified". As stated in the official Firebase documentation pages:

Security concerns

Authentication using only a phone number, while convenient, is less secure than the other available methods, because possession of a phone number can be easily transferred between users. Also, on devices with multiple user profiles, any user that can receive SMS messages can sign in to an account using the device's phone number.

If you use phone number based sign-in in your app, you should offer it alongside more secure sign-in methods, and inform users of the security tradeoffs of using phone number sign-in.

Source: https://firebase.google.com/docs/auth/web/phone-auth#security-concerns

PS: The only other way to add a phone number to a user is through an Admin SDK, and here it's your responsibility to ensure that the phone number belongs to a user.

PSS: As far as I know (and checked), the Firebase REST APIs don't expose a "verified phone number" information.

Solution 2

The Firebase Rest API has the method for that.

On the device, after the user is authenticated and you have the User object, to get the token for verification, you can call

with Android - getIdToken()
with iOS
- Swift - getIDToken()
- Objective-C - -getIDTokenWithCompletion:
with JS (web or other platforms) - getIdToken()
with React Native - getIdToken()
and bunch of other platforms in the docs

Then, with that temporary id token, you can send a POST request to https://identitytoolkit.googleapis.com/v1/accounts:lookup?key=[API_KEY] (API_KEY being the "Web API Key" of the Firebase project) to get the user info, which will include the phoneNumber of the owner of the token.

Thus you can verify server-side that the owner of the token has that specific phone number.

11,715

Kiran Maniya

I love Javascript, die heart fan of Vue, expert in React, played with Electron. Over the past few years, I worked in around 8 javascript frameworks, Laravel, Core PHP. I'm almost #Workoholic. Few years back, I started programming carrier with Android and PHP. I believe in Start today, Tomorrow is an illusion. I'm a freelancer, Expert in React Native/React Native Web, and Open for Good Opportunities.

Updated on June 04, 2022

Comments

Kiran Maniya almost 2 years

I'm Creating a custom User Management system, involves all the App data to be on application server, but the phone should be authenticated by firebase. When New User Register on System, Firebase Phone Authentication takes place. On successful authentication from firebase, Registration Data goes to Server via API. Now the Problem is, how do I check server side that the phone number is authenticated by firebase or not? If I allow registration without server-side firebase auth validation, API Request can be spoofed by someone. I'm currently using kreait/firebase-php ^4.18 Firebase SDK for PHP. The Flow I'm Using Right Now is Demonstrated below and the flow I want to implement is also can be given as,

Update 25/09/2019

The library Kreait\Firebase helped to achieve to implement flow as given in answer by @jeromegamez in the accepted answer, However, the Kreait\Firebase does not support the idToken validation for ios device. IOS device has google idToken rather having firebase IdToken and hence Kreait\Firebase failed to validate it. Brief issue is given in Firebase IOS idToken invalid kid Exception in the backend while verifyIdToken in Gmail Auth post.
Kiran Maniya about 5 years

it is not related to exposing the verified phone number details.i'm working parallelly on Firebase and my server. When the user verifies his phone, on the success, it calls my rest API with that phone number, the issue is how do i verify that phone number is verified by firebase or not in server side implementation?.
jeromegamez about 5 years

If it's your mobile phone application and your server side application, you should be able to trust yourself. The user verifies his phone from inside your app, then you send the (verified) phone number to your backend. From your backend you check with the Firebase API that the phone numbers match, and you should be good to go.
Kiran Maniya about 5 years

What if any user decodes application and acquires the API being called onSuccess of Authentication. This API could be run with Postman also.
jeromegamez about 5 years

You should secure your API. The problem you‘re describing applies to any application - in a web application, you don‘t even have to decompile the app, but just look in the network console. That‘s what all the authentication procedures are about: securing that who tries to do something is allowed to do so.
Daron Tancharoen over 3 years

@jeromegamez. I understand KiranManiya concern. Normally, API is secured with app's access token after user's logged-in. But in this case, users are between the authentication process (that's why we're authenticating their phone number), thus API can't be secured yet.
Starwave over 2 years

Exactly what I was looking for! Couldn't use the Firebase suggested verification way ( firebase.google.com/docs/auth/admin/… ), because our backend is php platform and they don't provide verification libraries for it. They do provide a bit of info about manually validating that JWT token, but... mindfuck.