驗證 Firebase PNV 權杖

Firebase PNV 程式庫成功驗證裝置的電話號碼後,會傳回已驗證的電話號碼,以及包含該號碼的已簽署權杖。如果在應用程式用戶端以外的地方使用已驗證的電話號碼,請傳遞權杖,而非電話號碼本身,以便在使用時驗證完整性。如要驗證權杖,可以使用任何 JWT 驗證程式庫。使用程式庫驗證下列所有項目:

  • typ 標頭設為 JWT

  • 權杖是使用 Firebase PNV JWKS 端點發布的金鑰之一簽署,演算法為 ES256

    https://fpnv.googleapis.com/v1beta/jwks

  • 簽發者聲明包含您的 Firebase 專案編號,格式如下:

    https://fpnv.googleapis.com/projects/FIREBASE_PROJECT_NUMBER

    您可以在 Firebase 主控台的「專案設定」頁面中找到 Firebase 專案編號。

  • 目標對象聲明是包含 Firebase 專案編號和專案 ID 的清單,格式如下:

    [
  https://fpnv.googleapis.com/projects/FIREBASE_PROJECT_NUMBER,
  https://fpnv.googleapis.com/projects/FIREBASE_PROJECT_ID,
]

  • 權杖尚未過期。

範例

以下是簡單範例,說明 Express.js 應用程式如何從 HTTP POST 要求接收 Firebase PNV 權杖,並使用 JWT 驗證程式庫檢查權杖的簽章和權杖附加資訊:

Node.js

import express from "express";
import { JwtVerifier } from "aws-jwt-verify";

// Find your Firebase project number in the Firebase console.
const FIREBASE_PROJECT_NUMBER = "123456789";

// The issuer and audience claims of the FPNV token are specific to your
// project.
const issuer = `https://fpnv.googleapis.com/projects/${FIREBASE_PROJECT_NUMBER}`;
const audience = `https://fpnv.googleapis.com/projects/${FIREBASE_PROJECT_NUMBER}`;

// The JWKS URL contains the current public signing keys for FPNV tokens.
const jwksUri = "https://fpnv.googleapis.com/v1beta/jwks";

// Configure a JWT verifier to check the following:
// - The token is signed by Google
// - The issuer and audience claims match your project
// - The token has not yet expired (default behavior)
const fpnvVerifier = JwtVerifier.create({ issuer, audience, jwksUri });

const app = express();

app.post('/verifiedPhoneNumber', async (req, res) => {
    if (!req.body) return res.sendStatus(400);
    // Get the token from the body of the request.
    const fpnvToken = req.body;
    try {
        // Attempt to verify the token using the verifier configured
        previously.
        const verifiedPayload = await fpnvVerifier.verify(fpnvToken);

        // If verification succeeds, the subject claim of the token contains the
        // verified phone number. You can use this value however it's needed by
        // your app.
        const verifiedPhoneNumber = verifiedPayload.sub;
        // (Do something with it...)

        return res.sendStatus(200);
    } catch {
        // If verification fails, reject the token.
        return res.sendStatus(400);
    }
});

app.listen(3000);