Phone Authentication Validation from Server Side Firebase + PHP
Solution 1
When a user successfully authenticates with their phone number for the first time, the phone number is stored in the user's record in the Firebase Auth User list and can be considered verified.
Once a phone number is associated with a user in your Auth database, you can be sure that
- the phone number is valid
- the phone number has successfully been used to authenticate the user at the point in time the number has been associated with said user
- the phone number cannot be associated to another user
You should not assume that this phone number is now "verified". As stated in the official Firebase documentation pages:
Security concerns
Authentication using only a phone number, while convenient, is less secure than the other available methods, because possession of a phone number can be easily transferred between users. Also, on devices with multiple user profiles, any user that can receive SMS messages can sign in to an account using the device's phone number.
If you use phone number based sign-in in your app, you should offer it alongside more secure sign-in methods, and inform users of the security tradeoffs of using phone number sign-in.
Source: https://firebase.google.com/docs/auth/web/phone-auth#security-concerns
PS: The only other way to add a phone number to a user is through an Admin SDK, and here it's your responsibility to ensure that the phone number belongs to a user.
PSS: As far as I know (and checked), the Firebase REST APIs don't expose a "verified phone number" information.
Solution 2
The Firebase Rest API has the method for that.
On the device, after the user is authenticated and you have the User object, to get the token for verification, you can call
- with Android -
getIdToken()
- with iOS
- Swift -
getIDToken()
- Objective-C -
-getIDTokenWithCompletion:
- Swift -
- with JS (web or other platforms) -
getIdToken()
- with React Native -
getIdToken()
- and bunch of other platforms in the docs
Then, with that temporary id token, you can send a POST request to https://identitytoolkit.googleapis.com/v1/accounts:lookup?key=[API_KEY] (API_KEY
being the "Web API Key" of the Firebase project) to get the user info, which will include the phoneNumber
of the owner of the token.
Thus you can verify server-side that the owner of the token has that specific phone number.
Related videos on Youtube
Kiran Maniya
I love Javascript, die heart fan of Vue, expert in React, played with Electron. Over the past few years, I worked in around 8 javascript frameworks, Laravel, Core PHP. I'm almost #Workoholic. Few years back, I started programming carrier with Android and PHP. I believe in Start today, Tomorrow is an illusion. I'm a freelancer, Expert in React Native/React Native Web, and Open for Good Opportunities.
Updated on June 04, 2022Comments
-
Kiran Maniya almost 2 years
I'm Creating a custom User Management system, involves all the App data to be on application server, but the phone should be authenticated by firebase. When New User Register on System, Firebase Phone Authentication takes place. On successful authentication from firebase, Registration Data goes to Server via API. Now the Problem is, how do I check server side that the phone number is authenticated by firebase or not? If I allow registration without server-side firebase auth validation, API Request can be spoofed by someone. I'm currently using
kreait/firebase-php ^4.18
Firebase SDK for PHP. The Flow I'm Using Right Now is Demonstrated below and the flow I want to implement is also can be given as,Update 25/09/2019
The library
Kreait\Firebase
helped to achieve to implement flow as given in answer by @jeromegamez in the accepted answer, However, theKreait\Firebase
does not support theidToken
validation for ios device. IOS device has google idToken rather having firebase IdToken and henceKreait\Firebase
failed to validate it. Brief issue is given in Firebase IOS idToken invalidkid
Exception in the backend whileverifyIdToken
in Gmail Auth post. -
Kiran Maniya about 5 yearsit is not related to exposing the verified phone number details.i'm working parallelly on Firebase and my server. When the user verifies his phone, on the success, it calls my rest API with that phone number, the issue is how do i verify that phone number is verified by firebase or not in server side implementation?.
-
jeromegamez about 5 yearsIf it's your mobile phone application and your server side application, you should be able to trust yourself. The user verifies his phone from inside your app, then you send the (verified) phone number to your backend. From your backend you check with the Firebase API that the phone numbers match, and you should be good to go.
-
Kiran Maniya about 5 yearsWhat if any user decodes application and acquires the API being called onSuccess of Authentication. This API could be run with Postman also.
-
jeromegamez about 5 yearsYou should secure your API. The problem you‘re describing applies to any application - in a web application, you don‘t even have to decompile the app, but just look in the network console. That‘s what all the authentication procedures are about: securing that who tries to do something is allowed to do so.
-
Daron Tancharoen over 3 years@jeromegamez. I understand KiranManiya concern. Normally, API is secured with app's access token after user's logged-in. But in this case, users are between the authentication process (that's why we're authenticating their phone number), thus API can't be secured yet.
-
Starwave over 2 yearsExactly what I was looking for! Couldn't use the Firebase suggested verification way ( firebase.google.com/docs/auth/admin/… ), because our backend is php platform and they don't provide verification libraries for it. They do provide a bit of info about manually validating that JWT token, but... mindfuck.