I am implementing sign-in logic for my app's backend, built using Express with TypeScript, and leveraging the Firebase Admin SDK. However, after exploring the methods provided by the auth instance and browsing the documentation multiple times, I noticed that user authentication seems to primarily occur on the client side via the standard Firebase SDK.
This has left me confused about the best approach:
idToken received from the client using the Firebase Admin SDK?I'm unsure which option to choose, particularly regarding which approach is more secure and aligns with best practices for authentication.
user authentication seems to primarily occur on the client side via the standard Firebase SDK.
Yes, this is how it works.
Should I install the regular Firebase SDK in my backend to handle authentication, as I've seen in some articles?
No, that won't work well at all. Firebase isn't designed to maintain login state on the backend. The client obtains auth tokens and sends them to the backend when needed.
Or should the frontend handle authentication entirely while the backend focuses on validating the idToken received from the client using the Firebase Admin SDK?
Yes, again, that's how it works. This situation is explained specifically in the documentation:
If your Firebase client app communicates with a custom backend server, you might need to identify the currently signed-in user on that server. To do so securely, after a successful sign-in, send the user's ID token to your server using HTTPS. Then, on the server, verify the integrity and authenticity of the ID token and retrieve the uid from it. You can use the uid transmitted in this way to securely identify the currently signed-in user on your server.