auth/Client.VerifyIDToken should verify (some) fields before checking signature

[palsivertsen]

Field validation in auth/Client.VerifyIDToken(), like checking Expires and IssuedAt, should be done before the, potentially expensive, operation verifyToken. Deep down verifyToken uses locking and issues a http request. Although this is not the biggest overhead, it would be nice if e.g. expired tokens where not dependent on sub-requests to Firebase API (an expired token is not valid no matter the signature)

[google-oss-bot]

I found a few problems with this issue:

• I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
• This issue does not seem to follow the issue template. Make sure you provide all the required information.

[hiranya911]

Makes sense. Please provide a pull request if you can manage it. Otherwise we'll get to it eventually.

Also note that the SDK caches HTTP calls to the public key server. So VerifyIDToken() only makes HTTP calls once every 24 hours or so.

[palsivertsen]

Also note that the SDK caches HTTP calls to the public key server. So VerifyIDToken() only makes HTTP calls once every 24 hours or so.

Yes, I saw. But the locking still happens for every request

[hiranya911]

Fixed