I have a REST api that retrieves user data. In order to access this data a validated token is required. I am using firebase admin SDK for php for this process. The following happens:
- Client creates token with Firebase
- Client sends token with php REST api call
- Firebase validates token
- api returns data
Problem
Step 3 (shown in code) is the problem here: it takes 3 to 5 seconds for the server to respond. The following code is responsible for this process
try {
$verifiedIdToken = $auth->verifyIdToken($idTokenString); // 3 to 5 seconds(!)
} catch (FailedToVerifyToken $e) {
echo 'The token is invalid: '.$e->getMessage();
}
...
*omitted*
...
Scenario
Waiting for validation on initializing the app is not that much of a problem, but the user’s data is refreshable throughout the app’s runtime and I do not want to have another validation process taking 3 to 5 seconds during runtime.
Approaches made
I considered using cookies but since I have no idea where these cookies are stored I checked the document and it states the following:
Firebase Auth provides server-side session cookie management for
traditional websites that rely on session cookies.
and my REST api calls is not considered a traditional website.
For a very short moment I considered to store the validated status locally on the user’s phone, but that makes no sense since it needs to call my php file and I can’t simply pass ‘userIsValidated’ to this call cause obviously hackers will also be able to do so.
Question
Is it possible to reduce any of this validation time? If not, am I able to somehow work with cookies?
2
Answers
The most common way to reduce the impact of verification is to cache the decoded token and reuse that on subsequent requests. Several of Firebase’s own servers use this approach to good effect.
If you use the (hash of the) encoded token as the key for the cache, and the decoded token as its value, you will automatically end up using any updated token you get for the same user.
On initial successful login, create a temporary token using method of your liking on the server like random characters then ship it to your client, I like to keep such temporary tokens in in-memory databases but any storage method should suffice,
Keep track of ID Tokens and Temporary Tokens with respect to their users, Now for every login or a request, client can use that token to authenticate and you can decide to check for
Firebase ID Token Revocation
in the background or periodically, which if revoked can be used to force client into sending fresh ID Token,More on: Detect ID token revocation in the SDK
Notice the additional checkRevoked boolean flag