mar*_*cus 4 php ajax firebase firebase-authentication
我受命为基于Firebase的Android应用程序构建Web界面。我有一些与数据库交互的端点(云函数)。要访问这些端点,我需要使用电子邮件和密码[1]对用户进行身份验证,检索accessToken [2]并授权使用Authorization: Bearer {accessToken}标头对端点的每个请求进行授权。
我使用php并竭尽全力想如何在我的应用程序中管理经过身份验证的用户。
TL; DR请仅在php中查看我的最终解决方案。/sf/answers/3648372031/
我通过ajax在php会话中传输accessToken,以将cURL请求签名到端点。显然,除了使用firebase JS auth之外,别无其他方法(据我所知[4])。
我的问题是:将其保存accessToken在php会话中并通过ajax POST请求将其与每个页面加载进行比较是否足够(请参见下面的代码)?什么是在php中处理该问题的更可靠策略?
编辑: 一位用户指出,使用带有JWT令牌的经典php会话没有多大意义,我阅读了有关该主题的文章。那么关于Firebase-这是要考虑的事情吗? https://firebase.google.com/docs/auth/admin/manage-cookies
Firebase Auth为依赖会话cookie的传统网站提供服务器端会话cookie管理。与客户端短暂的ID令牌相比,此解决方案具有多个优点,客户端短暂的ID令牌可能每次需要使用重定向机制来在到期时更新会话cookie:
这是我得到的:
1.登录页面
如Firebase示例中所述[3]
function initApp() {
firebase.auth().onAuthStateChanged(function (user) {
if (user) {
// User is signed in.
// obtain token, getIdToken(false) = no forced refresh
firebase.auth().currentUser.getIdToken(false).then(function (idToken) {
// Send token to your backend via HTTPS
$.ajax({
type: 'POST',
url: '/auth/check',
data: {'token': idToken},
complete: function(data){
// data = {'target' => '/redirect/to/route'}
if(getProperty(data, 'responseJSON.target', false)){
window.location.replace(getProperty(data, 'responseJSON.target'));
}
}
});
// ...
}).catch(function (error) {
console.log(error);
});
} else {
// User Signed out
$.ajax({
type: 'POST',
url: '/auth/logout',
complete: function(data){
// data = {'target' => '/redirect/to/route'}
if(getProperty(data, 'responseJSON.target', false)){
// don't redirect to itself
// logout => /
if(window.location.pathname != getProperty(data, 'responseJSON.target', false)){
window.location.replace(getProperty(data, 'responseJSON.target'));
}
}
}
});
// User is signed out.
}
});
}
window.onload = function () {
initApp();
};
2.一个PHP控制器来处理身份验证请求
public function auth($action)
{
switch($action) {
// auth/logout
case 'logout':
unset($_SESSION);
// some http status header and mime type header
echo json_encode(['target' => '/']); // / => index page
break;
case 'check':
// login.
if(! empty($_POST['token']) && empty($_SESSION['token'])){
// What if I send some bogus data here? The call to the Endpoint later would fail anyway
// But should it get so far?
$_SESSION['token'] = $_POST['token'];
// send a redirect target back to the JS
echo json_encode(['target' => '/dashboard']);
break;
}
if($_POST['token'] == $_SESSION['token']){
// do nothing;
break;
}
break;
}
}
3.主控制器
// pseudo code
class App
{
public function __construct()
{
if($_SESSION['token']){
$client = new \GuzzleHttp\Client();
// $user now holds all custom access rights within the app.
$this->user = $client->request(
'GET',
'https://us-centralx-xyz.cloudfunctions.net/user_endpoint',
['headers' =>
[
'Authorization' => "Bearer {$_SESSION['token']}"
]
]
)->getBody()->getContents();
}else{
$this->user = null;
}
}
public function dashboard(){
if($this->user){
var_dump($this->user);
}else{
unset($_SESSION);
// redirect to '/'
}
}
}
注意:我知道这个sdk https://github.com/kreait/firebase-php,我在那里读到很多问题,在SO上的帖子中也读到很多,但是我很困惑,因为这里有关于完全管理的讨论权限等),而我实际上仅与基于Firebase的端点进行交互(加上firebase auth和firestore)。而且我仍然在php 5.6上:-/
谢谢你的时间!
我不得不承认,firebase文档和示例以及不同服务的复杂性让我感到困惑,以至于我认为仅通过JavaScript才能进行Web身份验证。错了 至少对于我来说,我只是使用电子邮件和密码登录以检索Json Web令牌(JWT),以对Firebase云功能的所有调用进行签名。无需处理奇怪的Ajax请求或通过JavaScript设置令牌cookie,我只需要调用Firebase Auth REST API
这是使用Fatfreeframework的最小情况:
登录表格
<form action="/auth" method="post">
<input name="email">
<input name="password">
<input type="submit">
</form>
路线
$f3->route('POST /auth', 'App->auth');
控制者
class App
{
function auth()
{
$email = $this->f3->get('POST.email');
$password = $this->f3->get('POST.password');
$apiKey = 'API_KEY'; // see https://firebase.google.com/docs/web/setup
$auth = new Auth($apiKey);
$result = $auth->login($email,$password);
if($result['success']){
$this->f3->set('COOKIE.token',$result['idToken']);
$this->f3->reroute('/dashboard');
}else{
$this->f3->clear('COOKIE.token');
$this->f3->reroute('/');
}
}
}
类
<?php
use GuzzleHttp\Client;
class Auth
{
protected $apiKey;
public function __construct($apiKey){
$this->apiKey = $apiKey;
}
public function login($email,$password)
{
$client = new Client();
// Create a POST request using google api
$key = $this->apiKey;
$responsee = $client->request(
'POST',
'https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyPassword?key=' . $key,
[
'headers' => [
'content-type' => 'application/json',
'Accept' => 'application/json'
],
'body' => json_encode([
'email' => $email,
'password' => $password,
'returnSecureToken' => true
]),
'exceptions' => false
]
);
$body = $responsee->getBody();
$js = json_decode($body);
if (isset($js->error)) {
return [
'success' => false,
'message' => $js->error->message
];
} else {
return [
'success' => true,
'localId' => $js->localId,
'idToken' => $js->idToken,
'email' => $js->email,
'refreshToken' => $js->refreshToken,
'expiresIn' => $js->expiresIn,
];
}
}
}
| 归档时间: |
|
| 查看次数: |
1843 次 |
| 最近记录: |