Home » Nodejs » Verify clients Firebase token at node.js server

Verify clients Firebase token at node.js server

Posted by: admin November 30, 2017 Leave a comment


I’m implementing a node.js server using express.js for REST and Firebase for data storage.

I have read Using NodeJs with Firebase – Security, and it could be implemented in this manner, but in my case I need to send data to server and server must return a redirect address, so using firebase as communication channel is a bit complex.

I’m currently verifying clients identity at server by sending a Firebase auth token as query parameter and checking authorization with firebase auth() method.

dataRef.auth(CLIENT_TOKEN, function(error) {
  if(error) {
    console.log("Login Failed!", error);
  } else {
    console.log("Login Succeeded!");

The problem is, that in server I also need firebase “admin” privileges. To achieve this, I need to authenticate again using firebase auth() using admin token. (generated by firebase-token-generator)

var FirebaseTokenGenerator = require("firebase-token-generator");
var tokenGenerator = new FirebaseTokenGenerator(YOUR_FIREBASE_SECRET);
var token = tokenGenerator.createToken({some: "arbitrary", data: "here"});

I noticed that there is a limitation in auth() method:

Note that all references to a Firebase share the same authentication status. So if you call new Firebase( ) twice and call auth() on one of them, they will both be authenticated.

Is there a way to implement this without calling auth() twice?

Or are there better solutions to do this?


Based on comments and after the implementation, it seems the best solution is to use generic JWT library, such as:

With the help of library, you can decode the token with the firebase secret:

// decode
var decoded = jwt.decode(token, secret);
console.log(decoded); //=> {"v":0,"iat":1359943067,"d":{"id":"[email protected],com"}}

Decoded token contains iat (issued at) and may contain exp (expires). If exp is not provided, the default expiration time for firebase token is 24hours. You need to check if the token has been expired.

More details at: