Is there a way to enable replay protection on a BE that does not use one of the languages supported by the admin SDK ? I would like to consume a token after verification and not only checking its signature.
The doc does not seems to talk about this (while for the previous section, custom code solution is well explained): https://firebase.google.com/docs/app-check/custom-resource-backend#replay-protection
Firebase’s built-in replay protection for App Check tokens is currently only available via the Node.js Admin SDK using the { consume: true } option. This means that for backends written in other languages, there is no native replay protection provided out of the box. You’ll still need to verify the token’s signature and claims manually by fetching Firebase’s public keys and validating the JWT.
To implement replay protection yourself, after verifying the token, you should store a unique identifier from the token (like the JWT ID or the entire token string) in a fast-access cache such as Redis, with a TTL matching the token’s expiration. Then, before processing each request, check if the token has already been used. If it has, reject the request; if not, mark it as consumed. This way, you prevent replay attacks even without Admin SDK support.
if token_jti in cache:
reject_request("Replay detected")
else:
cache.set(token_jti, True, ttl=token_expiration)
process_request()
So, while Firebase doesn’t provide direct replay protection outside Node.js, you can build a lightweight and effective custom solution by combining manual JWT verification with token consumption tracking. If you want, I can help you write a full example in your language of choice!
If you want, I can help you write a full example in your language of choice!). But this indeed is a good solution to the issue. I will not accept it just because it is AI generated and stack overflow do not support this fully