8

I'm Creating a custom User Management system, involves all the App data to be on application server, but the phone should be authenticated by firebase. When New User Register on System, Firebase Phone Authentication takes place. On successful authentication from firebase, Registration Data goes to Server via API. Now the Problem is, how do I check server side that the phone number is authenticated by firebase or not? If I allow registration without server-side firebase auth validation, API Request can be spoofed by someone. I'm currently using kreait/firebase-php ^4.18 Firebase SDK for PHP. The Flow I'm Using Right Now is Demonstrated belowCurrunt Flow of Registration and the flow I want to implement is also can be given as, Proposed Solution to Secure the Registration flow.

Update 25/09/2019

The library Kreait\Firebase helped to achieve to implement flow as given in answer by @jeromegamez in the accepted answer, However, the Kreait\Firebase does not support the idToken validation for ios device. IOS device has google idToken rather having firebase IdToken and hence Kreait\Firebase failed to validate it. Brief issue is given in Firebase IOS idToken invalid kid Exception in the backend while verifyIdToken in Gmail Auth post.

Improve this question
1
  • I forgot to mention that the first flow is vulnerable to false registration. Commented Mar 12, 2019 at 12:24

2 Answers 2

Reset to default
9

The Firebase Rest API has the method for that.

On the device, after the user is authenticated and you have the User object, to get the token for verification, you can call

Then, with that temporary id token, you can send a POST request to https://identitytoolkit.googleapis.com/v1/accounts:lookup?key=[API_KEY] (API_KEY being the "Web API Key" of the Firebase project) to get the user info, which will include the phoneNumber of the owner of the token.

Thus you can verify server-side that the owner of the token has that specific phone number.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Exactly what I was looking for! Couldn't use the Firebase suggested verification way ( firebase.google.com/docs/auth/admin/… ), because our backend is php platform and they don't provide verification libraries for it. They do provide a bit of info about manually validating that JWT token, but... mindfuck.
3

When a user successfully authenticates with their phone number for the first time, the phone number is stored in the user's record in the Firebase Auth User list and can be considered verified.

Once a phone number is associated with a user in your Auth database, you can be sure that

  • the phone number is valid
  • the phone number has successfully been used to authenticate the user at the point in time the number has been associated with said user
  • the phone number cannot be associated to another user

You should not assume that this phone number is now "verified". As stated in the official Firebase documentation pages:

Security concerns

Authentication using only a phone number, while convenient, is less secure than the other available methods, because possession of a phone number can be easily transferred between users. Also, on devices with multiple user profiles, any user that can receive SMS messages can sign in to an account using the device's phone number.

If you use phone number based sign-in in your app, you should offer it alongside more secure sign-in methods, and inform users of the security tradeoffs of using phone number sign-in.

Source: https://firebase.google.com/docs/auth/web/phone-auth#security-concerns

PS: The only other way to add a phone number to a user is through an Admin SDK, and here it's your responsibility to ensure that the phone number belongs to a user.

PSS: As far as I know (and checked), the Firebase REST APIs don't expose a "verified phone number" information.

Improve this answer

5 Comments

it is not related to exposing the verified phone number details.i'm working parallelly on Firebase and my server. When the user verifies his phone, on the success, it calls my rest API with that phone number, the issue is how do i verify that phone number is verified by firebase or not in server side implementation?.
If it's your mobile phone application and your server side application, you should be able to trust yourself. The user verifies his phone from inside your app, then you send the (verified) phone number to your backend. From your backend you check with the Firebase API that the phone numbers match, and you should be good to go.
What if any user decodes application and acquires the API being called onSuccess of Authentication. This API could be run with Postman also.
You should secure your API. The problem you‘re describing applies to any application - in a web application, you don‘t even have to decompile the app, but just look in the network console. That‘s what all the authentication procedures are about: securing that who tries to do something is allowed to do so.
@jeromegamez. I understand KiranManiya concern. Normally, API is secured with app's access token after user's logged-in. But in this case, users are between the authentication process (that's why we're authenticating their phone number), thus API can't be secured yet.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.