0

App check is a great source to protect firebase backend services, but I was wondering if we could also utilise it on custom backends similar to how custom backends can verify firebase's auth tokens?

Here is example use case scenario (was only able to find partial docs on this, so am not sure if it is possible)

  1. App Check is set up in firebase console / sdk's
  2. Can we get app check token on client in order to send it as a custom header?
  3. On the receiving server can we use admin sdk to verify such token from the header?
Ilja
  • 44,142
  • 92
  • 275
  • 498

1 Answers1

3

Using Firebase App Check to ensure your custom backend code can only be invoked from your own front-end application is possible, and documented in the pages on protecting non-Firebase resources when calling from iOS, Android and web, and in the page on verifying App Check tokens from a custom backend. From there:

To verify App Check tokens on your backend, add logic to your API endpoints that does the following:

  • Check that each request include an App Check token.

  • Verify the App Check token using the Admin SDK's appCheck().verifyToken() method.

    If verification succeeds, verifyToken() returns the decoded App Check token. Successful verification indicates the token originated from an app belonging to your Firebase project.

Reject any request that fails either check.

The documentation also contains an example of how to do this in Node.js, so I recommend checking that for more details.

There's also this blog post: Protecting Your Own Backend Services With Firebase App Check

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807