Firebase-admin-node: FR: Validate phone number in the server

Created on 20 Jul 2017  路  14Comments  路  Source: firebase/firebase-admin-node

I'd like to suggest a way to validade the phone number in the server.
Something like validatePhoneNumber(verificationId, verificationCode) (which returns the phone number, for example) would be very useful.

Maybe also a validatePhoneNumber(verificationId, verificationCode, phoneNumber) that returns a Boolean.

I don't see how to verify if the phone is valid without creating an account. The client has sent the sms, the user has submited the verification code, but the only methods available are to link or signin (which would create an account with sJks92mda0 uid).

PS: A way to set/change the uid of a firebase user would also be a workaround to me, because then I would be able to create the account in the client and change the uid in the server.

  • Operating System version: macOS Sierra 10.12.6
  • Firebase-admin version: 5.0.1
  • Firebase Product: auth
auth feature request

Most helpful comment

@brunolemos This sounds similar to #46 (Except with phone numbers, instead of email). Are you requesting for the ability to initiate the phone number verification flow in the Admin SDK?

All 14 comments

What I'm currently doing, which feels like an ugly workaround:

  • Client sends verificationId and verificationCode to the server

    • Server create a temporary user account outside firebase (postgres database) to get the incremental id

    • createCustomToken(idFromPostgres) creates the firebase user with correct uid

    • Link firebase account with the phone using linkWithCredential (had to install firebase package in the server, before it was only firebase-admin)

    • If link was successful, great, means phone is valid.

    • If not, deletes the temporary accounts created (on postgres database and on firebase).

    • Account successfully created with correct uid.

I am having a hard time understanding your use case. We are working on adding the ability update/create accounts with phone numbers with admin privileges: https://github.com/firebase/firebase-admin-node/pull/58
Typically a user signs in with phone number on the client. After sign-in, you can send the Firebase ID token to your server, and there would be a phone number in that token which you can trust (validated and verified by Firebase Auth).

@bojeil-google the use case is that if it's created in the client, the user uid will be something like uJSh399dakms, but the project I'm on was unfortunately implemented in a way that the uid must be the same as the postgres database, e.g. 12345.

So separating phone validation from account creation would be awesome.

@brunolemos This sounds similar to #46 (Except with phone numbers, instead of email). Are you requesting for the ability to initiate the phone number verification flow in the Admin SDK?

This is a very specific custom use case.
To summarize, you want the ability to do phone authentication but retain the ability to provide your own user ID for the created user.
I will suggest one solution:

  1. Do the phone auth verification process on the client. At the end of the flow, you have a phone number, verification ID and verification code.
  2. Send those to your server if this is a new user (existing user case does not require this).
  3. Mint a custom token for your user with your postgres uid (using admin SDK).
  4. Use client SDK (node.js one) and signInWithCustomToken.
  5. Use customUser.linkWithCredential(firebase.auth.PhoneAuthProvider.credential(verificationId, verificationCode))
  6. If this succeeds, your new user has now a verified phone number and has the custom uid you want.
  7. You can now send the custom token to the client to signInWithCustomToken and get back that same user on the client.

@bojeil-google Thanks, that's exactly what I'm doing at the moment. Initially I found it "wrong" to have to put the client sdk in the server, but it's working fine. Also makes me wonder if signing in/out users in the server frequently won't cause some conflicts, because the app is used by some hundreds concurrently.

@hiranya911 it's a bit similar, yes.

Are you requesting for the ability to initiate the phone number verification flow in the Admin SDK?

Yes, kinda, more specifically a way to check if the phone number is valid without creating an account, not necessarily a way to send the verification code sms.

Yeah I see that issue. You would need to use the user reference returned via signInWithCustomToken promise and ignore currentUser or listening to onAuthStateChanged. The performance may not be optimized but you should be OK. I will relay your request to the Auth team. As @hiranya911 mentioned, we've had some other requests for client side API on the admin SDK side of things. Some are prioritized higher than other, like sending email verification.

@bojeil-google Thanks! I hope they understand and agree to work on it.

@brunolemos I'm looking to do similar thing. did you succeed to do that?

@adirzoari I'm doing the way I mentioned above https://github.com/firebase/firebase-admin-node/issues/59#issuecomment-316647790 which is not ideal but works

But think about this situation. User sign in with phone for first time, you get his uid then into Authentication table in firebase console it add his phone number and uid. Then user remove app and install again then try to sign in with same phone number,firebase generate new uid. But not update this uid in Authentication table

Sending & validating verification codes in Cloud Functions is a really obvious capability, it's frustrating it's sitting on the shelf

Was this page helpful?
0 / 5 - 0 ratings