I am working on a Next.js app using Firebase authentication. I have managed to implement an authentication system that also generates a session-cookie (in simple words a token we get after successful authentication using getIdToken()). I need to verify it in my app for some reasons. As per the official documentation of Firebase:
Finally, ensure that the ID token was signed by the private key corresponding to the token's kid claim. Grab the public key from https://www.googleapis.com/robot/v1/metadata/x509/[email protected] and use a JWT library to verify the signature. Use the value of max-age in the Cache-Control header of the response from that endpoint to know when to refresh the public keys.
I don't understand how can I verify the token using the same. I have simply copy-pasted key from the URL provided above and replaced all \n with new line. Here is what I have tried:
const publicKey = `-----BEGIN CERTIFICATE-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCsz8sS5pS6KBoX1ph7IXEdfUhv
PA7S5Eg5B9sPSLrEVtowMGXxpVSJXoJdN8aPP8NrZq0MhW1dHL//Uqg0TTtBv+8F
IV9SgXrrbHv7jFtwWWqSALwy6XFs+hPi2ES7OOIPxKtkm1n8tMF0dTjrxPR56xCz
qwuewD5JGJhPWdgJbQIDAQAB
-----END CERTIFICATE-----`
jwt.verify(
cookieValue,
publicKey,
{ algorithms: ["RS256"] },
(err, decoded) => {
if (err) {
console.error("Token verification failed:", err.message);
} else {
console.log("Token verified successfully:", decoded);
}
}
);
But I am getting error: Token verification failed: secretOrPublicKey must be an asymmetric key when using RS256 each time. I have tried to put the key in different string formats but still.