我是否需要在Firebase云函数中的context.auth对象上使用verifyIdToken? [英] Do I need to use verifyIdToken on the context.auth object in firebase cloud functions?

问题描述

使用可调用函数，我的意图是仅允许登录用户对此进行调用.

Using a callable function, my intention is to only allow logged-in users to make calls to this.

export const sendMessage = functions.https.onCall(async (data, context) => {

从那里的 context 参数中，我有了auth令牌.但是，对于Firebase来说，我只是一个新手，我不想在这里由于误解而犯下严重错误.如果我登出， context.auth 会变为null，这很容易.但是我是否需要确保auth令牌有效，而不是虚构"令牌?还是通过调用 verifyIdToken ?

From the context param there, I have the auth token. But I'm just very new to firebase in general and I don't want to make a critical mistake by misunderstanding here. If I'm logged out, context.auth becomes null-- easy enough. But do I need to be sure that the auth token is valid and not "made up" by calling verifyIdToken anyway?

如果不是，那么只是检查 context.auth 是否不足以确保用户已登录?

If not, then is simply checking that context.auth isn't null enough to be sure that the user is logged-in?

推荐答案

但是我是否需要确保auth令牌有效，而不是虚构"?还是通过调用verifyIdToken吗?

But do I need to be sure that the auth token is valid and not "made up" by calling verifyIdToken anyway?

否，这会自动发生.您可以确定 context.auth 是否已验证为null.如文档中所述:

No, that happens automatically. You can be sure the context.auth is verified if not null. As stated in the documentation:

函数.https.onCall触发器会自动反序列化请求正文并验证身份验证令牌.

The functions.https.onCall trigger automatically deserializes the request body and validates auth tokens.

这篇关于我是否需要在Firebase云函数中的context.auth对象上使用verifyIdToken?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！