Hi,
I’m currently maxing out my chat gpt o1 trying to ensure I’m creating a truly secure app. I have moved to here because it believes there is no secure way to use the google sign-in block. I wondered if I could hear people’s thought’s or solutions on the following (written by gpt to succinctly describe the problem):
I’m building a Thunkable app that uses the built-in Google Sign-In block. It’s working in the sense that I get a “success” event and a user ID, but I’m trying to figure out how to securely verify that the user is truly signed in with Google.
Right now, I only see the user’s UID (like “1234567890”) — I don’t get an ID token or access token from Google. From what I’ve been reading, an ID token is a cryptographic proof that can be verified on a backend server or in Firebase Auth. Without it, I can’t confirm that this user ID is real or hasn’t been faked.
I’m new to authentication, tokens, Firebase security rules, and all the new terminology like JWTs, private keys, ID tokens, etc. Basically:
- Should I be getting a Google ID token from the Thunkable sign-in block?
- If not, is there a workaround or alternative sign-in method that does produce a verifiable token?
- How do you handle this if you need to connect your Thunkable app to Firebase securely?
- Any step-by-step examples or best practices would be amazing.
I’d love any guidance or experiences from people who have navigated this. Right now I’m worried someone could just “spoof” the sign-in by guessing the user ID. I want to ensure my user data is safe.
Thanks so much in advance for any help,
(I haven’t gotten to the firebase sign-in but I guess it’s a similar situation unlike the apple sign-in which has the option for identity token)
Jason.