Skip to main content

Module verify

Module verify 

Source
Expand description

Session cookie verification.

Session cookies are RS256-signed JWTs like ID tokens, but with two differences confirmed against the official Node.js and Python Admin SDK source (COOKIE_CERT_URI/COOKIE_ISSUER_PREFIX vs. ID_TOKEN_CERT_URI/ID_TOKEN_ISSUER_PREFIX in token-verifier.ts/_token_gen.py), and directly against Google’s endpoints:

  • Issuer: https://session.firebase.google.com/<project-id>, not https://securetoken.google.com/<project-id>.
  • Signing keys: a separate X.509 certificate endpoint (https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys), not the securetoken JWKS used for ID tokens — see crate::auth::session_cookie::certs.

Structs§

SessionCookieVerifier
Verifies Firebase session cookies against Google’s session-cookie certificate endpoint and the project’s expected issuer/audience.