Hi!
I wrote an functions API which is used in the browser and with Postman like programs.
So the user goes to
www.myapp.com/api and he receive the basic browser authentication dialog. He enters his username and password. Or if he's using Postman like program, he enters his credentials in the Authorization header and everything works.
Then when I receive HTTP request, I can validate the username/password against the Firebase Auth Email/Password using the client SDK signInWithEmailAndPassword. If it succeed, I immediately do a signOut. It's only just to validate the credentials.
It was working very well...
So in my case, it's not possible for the user to send me an Auth ID token.
I could send the API key as an environment variable... It will be a pita because my API is used by about 50 customers, each have their own project and database... it was working out of the box, so I find it sad if I have do to this for every past/future customer.
The api Key is a public thing... Why it's not there anymore? Every one could benefit from having this information...
And I also think that having a verifyEmailAndPassword in the Admin Auth SDK could be a nice feature... I would prefer using this Admin SDK call rather than fake a signIn/signOut to verify the credentials.
And, thinking loudly ( ;-) ) maybe using the client SDK signInWithEmailAndPassword could be useful in order to make Firebase RTDB requests with the User context in order for the Rules to be applied.
I hope I was clear enough in my explanations.
Thanks
VB