I'm using firebase sms verification, on success, I call my backend /complete-signup to do more work with the JWT token generated (that depends on user having verified their phone. not just create an account with it.)
Now, as mentioned in this question, there is no isPhoneVerified() method...and getPhoneNumbe() is no help, a user can signup with their phone, skip the verify code step, and their account will still be created on firebase.
Client side validation (SharedPreferences as mentioned in the answer) is no help, since there's no way to communicate that info securely to my backend (or is there?)..because what's preventing the user from calling my backend /complete-signup from curl..
What I'm thinking:
- add "phone verified" as custom claim from client (not possible)
- create custom token on client contaning {userId,phoneVerified} to send to my backend (super insecure!)
- get the value of the otp code sent by firebase in the backend to verify it (not possible)
- use another api (really dont want to do this)
- ??
ideas?
question from:
https://stackoverflow.com/questions/65894388/firebase-phone-verified-missing 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
