This doesn't actually verify/validate tokens

[clintonb]

This strategy doesn't seem to be implemented correctly. I would expect the strategy to verify the token before passing the payload to the verify method, similar to how passport-jwt behaves. This strategy just passes the token through, and all the work is done by the implementor by calling Firebase.

passport-firebase seems to behave more like the other JWT-related strategies.

[Mawi137]

The actual strategy is indeed the FirebaseAuthStrategy one from the readme. The other lib seems to verify the token by validating the token signature using the public certificate. With the FirebaseAuthStrategy from this repo, it uses the firebase-admin library to validate the token. It's true that the FirebaseAuthStrategy could be part of the library itself instead of a snippet people have to copy paste.

[clintonb]

The token validation may need to be moved inside. Based on my understanding of https://github.com/jaredhanson/passport-strategy#implement-authentication, I would expect this library to call the "augmented methods" and my custom code in verify to only be invoked after successful token validation; however, it seems there is no agreed upon standard for passport.js.

I ran into problems when I added a second strategy to my system (using NestJS). I expected passport-firebase-jwt to call the fail to invoke the next strategy. However, it seems I have to do that in my validate method, which is not expected or documented.