使用Firebase验证用户手机号码的正确方法 [英] Proper way to verify user's mobile number using Firebase
问题描述
我知道我可以在Android和iOS上使用Firebase's电话验证,但是问题在于,有关客户端验证的信息很容易在客户端伪造,因为我仅使用服务器端SSL证书,因此,只有客户端知道服务器是受信任的.
I know that I can use Firebase's phone verification on Android and iOS, but the problem is that the information about client's verification can easily be forged on the client side, because I using only server side SSL certificate, so, only client knows that the server is trusted.
因此,我决定在服务器端发送手机号码并在那里进行检查:发送验证码,并向用户询问此验证码.但是我看不到任何C ++服务器Firebase SDK,只有客户端C ++ SDK可用.
因此,我有两个选择:
So, I decided to send mobile number on the server-side and check it there: send verification code and ask this verification code from the user. But I can't see any C++ server Firebase SDK, only client-side C++ SDK is available.
So, I have two options:
- 了解如何在服务器端信任客户端验证(请注意,我可以拥有不受信任的客户端)?因此,这意味着我可以使用主要的Firebase电话号码身份验证方法.
- 使用服务器端电话验证.
请帮助我解决Firebase中的这种误解.
Please, help me with this misunderstanding in the Firebase.
推荐答案
客户端绝对可以在这里工作.流程是这样的:
Client side absolutely works here. The flow is like this:
- 您请求使用电话号码登录
- Firebase Phone Auth服务器将密码发送到该号码
- 用户将您的代码输入到您的应用中,然后将其发送到Firebase Auth服务器
- Firebase身份验证服务器向您返回一个Firebase身份验证令牌
之所以可行,是因为恶意用户只有拥有您的手机才能知道该代码.它不能保证该设备是具有该电话号码的设备(用户可以拥有两部电话,也可以使用笔记本电脑上的电话登录),但是它确实会验证用户是否可以访问该电话号码.
This works because a malicious user could only know the code if they had your phone. It doesn't guarantee the device is the one with that phone number (the user could have two phones, or sign in with a phone on a laptop), but it does verify the user has access to that number.
要验证自己的后端身份,请检索Firebase ID令牌.这只是一小捆base64编码的JSON,但重要的是它是由Firebase加密签名的.这意味着您可以在服务器上针对其中包含的用户和电话号码,验证它确实是由Firebase创建的.如果不访问基础帐户,用户将无法生成这些令牌之一.
For verifying that to your own backend, you retrieve a Firebase ID token. This is just a little bundle of base64 encoded JSON, but importantly its cryptographically signed by Firebase. This means on your server you can verify that it was really created by Firebase, for the user and phone number that is contained within it. A user couldn't generate one of those tokens without access to the underlying account.
有关更多信息,请参见验证ID令牌上的文档!
See the docs on verifying ID tokens for more!
所以您的下一步将是:
您可以在登录后随时执行此操作.
You can do this any time you're signed in.
FirebaseUser mUser = FirebaseAuth.getInstance().getCurrentUser();
mUser.getToken(true)
.addOnCompleteListener(new OnCompleteListener<GetTokenResult>() {
public void onComplete(@NonNull Task<GetTokenResult> task) {
if (task.isSuccessful()) {
String idToken = task.getResult().getToken();
// Send token to your backend via HTTPS
// ...
} else {
// Handle error -> task.getException();
}
}
});
在服务器上验证ID令牌的内容.
开箱即用地设置了管理SDK,以检查ID令牌的正确证书,受众,有效期和其他重要属性.
Verify on server the contents of the ID token.
The admin SDKs are set up out of the box to check for the right certificate, audience, expiry, and other important properties of an ID token.
admin.auth().verifyIdToken(idToken)
.then(function(decodedToken) {
var uid = decodedToken.uid;
// ...
}).catch(function(error) {
// Handle error
});
decodedToken也将包含电话号码的属性!
decodedToken will contain properties for the phone number too!
这篇关于使用Firebase验证用户手机号码的正确方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
