我正在创建一个自定义用户管理系统,涉及所有要在应用程序服务器上的应用程序数据,但是电话应该由firebase进行身份验证。当新用户在系统上注册时,将执行Firebase电话身份验证。从Firebase成功进行身份验证后,注册数据会通过API转到服务器。现在的问题是,如何检查服务器端电话号码是否已通过Firebase认证?如果我允许在没有服务器端Firebase身份验证的情况下进行注册,则有人可能会欺骗API请求。我目前正在使用kreait/firebase-php ^4.18
Firebase SDK for PHP。我现在正在使用的流程如下所示,我想要实现的流程也可以表示为:
更新25/09/2019
The library Kreait\Firebase
helped to achieve to implement flow as given in answer by @jeromegamez in the accepted answer, However, the Kreait\Firebase
does not support the idToken
validation for ios device. IOS device has google idToken rather having firebase IdToken and hence Kreait\Firebase
failed to validate it. Brief issue is given in Firebase IOS idToken invalid kid
Exception in the backend while verifyIdToken
in Gmail Auth post.
When a user successfully authenticates with their phone number for the first time, the phone number is stored in the user's record in the Firebase Auth User list and can be considered verified.
Once a phone number is associated with a user in your Auth database, you can be sure that
You should not assume that this phone number is now "verified". As stated in the official Firebase documentation pages:
Security concerns
Authentication using only a phone number, while convenient, is less secure than the other available methods, because possession of a phone number can be easily transferred between users. Also, on devices with multiple user profiles, any user that can receive SMS messages can sign in to an account using the device's phone number.
如果您在应用中使用基于电话号码的登录,则应将其与更安全的登录方法一起提供,并告知用户使用电话号码登录的安全权衡。
来源:https://firebase.google.com/docs/auth/web/phone-auth#security-concerns
PS:向用户添加电话号码的唯一其他方法是通过Admin SDK,在这里,您有责任确保电话号码属于用户。
PSS:据我所知(并已检查),Firebase REST API不会公开“已验证的电话号码”信息。
本文收集自互联网,转载请注明来源。
如有侵权,请联系 [email protected] 删除。
我来说两句