Authenticate a Firebase User on the Server

The following snippet demonstrates how to setup server-side authentication in Firebase on any node server using Express.js.

Note. If using Firebase Cloud Functions, you can use Callable Functions to automatically handle this type of authentication.

Client-side: Include the ID Token

Your client-side code must attach the ID token to the authorization header when making a request to the server. The example below uses the browser’s built in fetch API.

file_type_js_official frontend-app.js
import firebase from 'firebase';
const auth = firebase.auth();
const url = 'https://your-cloud-function-url';


async function fetchFromAPI() {

  const user = auth.currentUser;
  const token = user && (await user.getIdToken());

  const res = await fetch(url, {
    methodL 'GET',
    headers: {
      'Content-Type': 'application/json',
      Authorization: `Bearer ${token}`,
    },
  });

  return res.json();
}

Server-side: Verify ID the Token

On the server-side, find the the ID token in the request headers and decode it with the Firebase Admin SDK. The following middleware simply adds a currentUser property to the request.

file_type_typescript express-app.ts
const express = require('express')
const admin = require('firebase-admin')
admin.initializeApp();

const app = express();

// Decodes the Firebase JSON Web Token
app.use(decodeIDToken);

/**
 * Decodes the JSON Web Token sent via the frontend app
 * Makes the currentUser (firebase) data available on the body.
 */
async function decodeIDToken(req: Request, res: Response, next: NextFunction) {
  if (req.headers?.authorization?.startsWith('Bearer ')) {
    const idToken = req.headers.authorization.split('Bearer ')[1];

    try {
      const decodedToken = await admin.auth().verifyIdToken(idToken);
      req['currentUser'] = decodedToken;
    } catch (err) {
      console.log(err);
    }
  }

  next();
}

Access the Firebase user data in your routes.

app.get('/hello', (req, res) => {

    const user = req['currentUser'];

    if (!user) { 
        res.status(403).send('You must be logged in!');
    }
})

Q&A Chat