我是否需要在 firebase 云函数中的 context.auth 对象上使用 verifyIdToken? [英] Do I need to use verifyIdToken on the context.auth object in firebase cloud functions?

问题描述

使用可调用函数，我的意图是只允许登录用户对此进行调用.

Using a callable function, my intention is to only allow logged-in users to make calls to this.

export const sendMessage = functions.https.onCall(async (data, context) => {

从那里的 context 参数，我有身份验证令牌.但总的来说，我对 firebase 还是很陌生，我不想在这里因为误解而犯下严重错误.如果我退出了，context.auth 会变为空——很简单.但是我是否需要确保身份验证令牌是有效的并且不是编造的"?还是通过调用 verifyIdToken?

From the context param there, I have the auth token. But I'm just very new to firebase in general and I don't want to make a critical mistake by misunderstanding here. If I'm logged out, context.auth becomes null-- easy enough. But do I need to be sure that the auth token is valid and not "made up" by calling verifyIdToken anyway?

如果没有，那么只是检查 context.auth 是否为空，以确保用户已登录?

If not, then is simply checking that context.auth isn't null enough to be sure that the user is logged-in?

推荐答案

但我是否需要确保身份验证令牌有效且不是编造"的?还是通过调用 verifyIdToken?

But do I need to be sure that the auth token is valid and not "made up" by calling verifyIdToken anyway?

不，这是自动发生的.您可以确定 context.auth 如果不为空，则已验证.如文档所述:

No, that happens automatically. You can be sure the context.auth is verified if not null. As stated in the documentation:

functions.https.onCall 触发器自动反序列化请求正文并验证身份验证令牌.

The functions.https.onCall trigger automatically deserializes the request body and validates auth tokens.

这篇关于我是否需要在 firebase 云函数中的 context.auth 对象上使用 verifyIdToken?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！