I'm using https://github.com/firebase/firebase-admin-go in my Go server application.
After looking at the documentation, I'm creating the auth.Client every time I'm checking the ID token. E. g.:
client, err := firebaseApp.Auth(ctx)
if err != nil {
return "", err
}
token, err := client.VerifyIDToken(ctx, idToken)
if err != nil {
return "", err
}
I'm already sharing the firebaseApp (a firebase.App) between goroutines.
My question: Is it safe to also share the auth.Client between goroutines or do I need to create one every time I verify the ID token? That would mean I will create one for almost every authenticated request. That seems costly to me. I couldn't find anything about it in the documentation.
Yes, it is goroutine safe.
auth.Client is intended to be shared among goroutines and reused. Specifically, the VerifyIDToken() function will cache the public keys between invocations. You should reuse the client instance to benefit from this. auth.Client performs its own locking/synchronization internally, when required (e.g.).