Authenticate a Firebase User on the Server How to setup express middleware for serverside auth in Firebase 264 words. By Jeff Delaney Created May 22, 2020 Last Updated May 22, 2020 Slack #node #security #authentication The following snippet demonstrates how to setup server-side authentication in Firebase on any node server using Express.js. Note. If using Firebase Cloud Functions, you can use Callable Functions to automatically handle this type of authentication. Client-side: Include the ID Token Your client-side code must attach the ID token to the authorization header when making a request to the server. The example below uses the browser’s built in fetch API. file_type_js_official frontend-app.js import firebase from 'firebase'; const auth = firebase.auth(); const url = 'https://your-cloud-function-url'; async function fetchFromAPI() { const user = auth.currentUser; const token = user && (await user.getIdToken()); const res = await fetch(url, { methodL 'GET', headers: { 'Content-Type': 'application/json', Authorization: `Bearer ${token}`, }, }); return res.json(); } Server-side: Verify ID the Token On the server-side, find the the ID token in the request headers and decode it with the Firebase Admin SDK. The following middleware simply adds a currentUser property to the request. file_type_typescript express-app.ts const express = require('express') const admin = require('firebase-admin') admin.initializeApp(); const app = express(); // Decodes the Firebase JSON Web Token app.use(decodeIDToken); /** * Decodes the JSON Web Token sent via the frontend app * Makes the currentUser (firebase) data available on the body. */ async function decodeIDToken(req: Request, res: Response, next: NextFunction) { if (req.headers?.authorization?.startsWith('Bearer ')) { const idToken = req.headers.authorization.split('Bearer ')[1]; try { const decodedToken = await admin.auth().verifyIdToken(idToken); req['currentUser'] = decodedToken; } catch (err) { console.log(err); } } next(); } Access the Firebase user data in your routes. app.get('/hello', (req, res) => { const user = req['currentUser']; if (!user) { res.status(403).send('You must be logged in!'); } })