Advanced usage
Authentication middleware might not fully support every use-case. To help you with more complex authentication flows, next-firebase-auth-edge provides a set of low-level building blocks:
getFirebaseAuth
getFirebaseAuth function provides a number of server-side methods to handle more complex authentication flows.
import { getFirebaseAuth } from "next-firebase-auth-edge";
const {
getCustomIdAndRefreshTokens,
verifyIdToken,
createCustomToken,
handleTokenRefresh,
getUser,
getUserByEmail,
createUser,
updateUser,
deleteUser,
verifyAndRefreshExpiredIdToken,
setCustomUserClaims,
} = getFirebaseAuth({
apiKey: 'YOUR FIREBASE API KEY',
serviceAccount: {
projectId: 'your-firebase-project-id',
clientEmail: 'firebase-adminsdk-nnw48@your-firebase-project-id.iam.gserviceaccount.com',
privateKey: '-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n'
}
});Options
| Name | Type | Description | |
|---|---|---|---|
| apiKey | string | Required | Firebase Web API Key retrieved from Firebase Project settings overview page. Please note that this API Key will be visible only after you enable Firebase Authentication in your Firebase project |
| serviceAccount | { projectId: string; clientEmail: string; privateKey: string } | Optional in authenticated Google Cloud Run (opens in a new tab) environment. Otherwise required | Firebase Service Account credentials |
| tenantId | string | Optional | Specify if your project supports multi-tenancy (opens in a new tab) |
| serviceAccountId | string | Optional | Forces specific service account ID inside authenticated Google Cloud Run (opens in a new tab) environment |
Methods
| Name | Type | Description |
|---|---|---|
| getCustomIdAndRefreshTokens | (idToken: string, appCheckToken?: string) => Promise<IdAndRefreshTokens> | Generates a new set of id and refresh tokens for user identified by provided idToken. Accepts optional appCheckToken as a third argument. You should pass it if your app supports App Check (opens in a new tab) |
| verifyIdToken | (idToken: string, checkRevoked?: boolean) => Promise<DecodedIdToken> | Verifies provided idToken. Throws AuthError. See source code (opens in a new tab) for possible error types. |
| createCustomToken | (uid: string, developerClaims?: object) => Promise<string> | Creates a custom token for given firebase user. Optionally, it's possible to attach additional developerClaims |
| handleTokenRefresh | (refreshToken: string) => Promise<VerifyTokenResult> | Returns id token and decodedToken for given refreshToken |
| getUser | (uid: string) => Promise<UserRecord> | Returns Firebase UserRecord by uid |
| getUserByEmail | (email: string) => Promise<UserRecord> | Returns Firebase UserRecord by email |
| createUser | (request: CreateRequest) => Promise<UserRecord> | Creates user and returns UserRecord. See official firebase Create a user (opens in a new tab) docs for request examples |
| updateUser | (uid: string, request: UpdateRequest) => Promise<UserRecord> | Updates user by uid and returns UserRecord. See official firebase Update a user (opens in a new tab) docs for request examples |
| deleteUser | (uid: string) => Promise<void> | Deletes user |
| setCustomUserClaims | (uid: string, customClaims: object ∣ null) => Promise<void> | Sets custom claims for given user. Overwrites existing values. Use getUser to fetch current claims |
| verifyAndRefreshExpiredIdToken | (token: string, refreshToken: string) => Promise<VerifyTokenResult> | Verifies provided idToken. If token is expired, uses refreshToken to validate it. Throws InvalidTokenError if credentials are missing or malformed. |