从JavaScript身份验证发送时，验证PHP中的Firebase令牌

Working on a project that involves a Firebase-utilizing JavaScript web app that reaches out to a PHP file carrying protected functionality.

In order to do this I get a (JWT) token by calling:

firebase.auth().currentUser.getToken(true)

The full function being:

firebase.auth().currentUser.getToken(true).then(function(idToken) {

    var uid = firebase.auth().currentUser.uid;

    var http = new XMLHttpRequest();
    var url = "http://localhost/jwt.php";
    var params = "token=" + idToken + "&uid=" + uid;
    http.open("POST", url, true);

    //Send the proper header information along with the request
    http.setRequestHeader("Content-type", "application/x-www-form-urlencoded");

    http.onreadystatechange = function() {//Call a function when the state changes.
        if(http.readyState == 4 && http.status == 200) {
            alert(http.responseText);
        }
    }
    http.send(params);      

  console.log("TOKEN: " + idToken);
}).catch(function(error) {
  // Handle error
});

On the PHP side I'm validating the token using the lcobucci/jwt library.

use Lcobucci\JWT\Parser;
use Lcobucci\JWT\ValidationData;
use Lcobucci\JWT\Signer\Keychain;
use Lcobucci\JWT\Signer\Rsa\Sha256;

$data = new ValidationData();
$data->setIssuer('https://securetoken.google.com/<Project ID>');

$signer = new Sha256();
$keychain = new Keychain();

if($_POST["token"]) {
    $token = (new Parser())->parse((string) $_POST["token"]);
    $token->getHeaders(); // Retrieves the token header
    $token->getClaims(); // Retrieves the token claims

    $kid = $token->getHeader('kid');
    $iat = $token->getClaim('iat'); 

    //Grab Google keys
    $json_url = file_get_contents('https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com');
    $json = json_decode($json_url, true);

    $public_key = $json[$kid]; // Matches kid from header to private key provided by Google


    try {
        $isTokenValid = $token->verify($signer, $public_key); // Verify token
    } catch (Exception $e) {
        $isTokenValid = false;
    }

    if($isTokenValid) {

        echo "Valid"; // Add protected functionality here

    } else {
        echo "Invalid";
    }
}

My question is: is this secure?

Yes, verifying the token signature like this is secure. This will prove that the token content was not modified and signed with a key from Google.

You can learn more about JWT here: https://jwt.io/introduction/

Additionally you can validate the token

$token->validate($data);

This will validate the the issuer (iss claim) and expiration time of the token (exp claim) https://github.com/lcobucci/jwt/blob/3.2/README.md