Firebase-admin verifies expired token (Cause of expiration: Change in credentials)

[dullbenz]

Environment

I'm using ubuntu 21 Firebase-admin 10.2.0 node v16

Steps to reproduce:

1. In the web app, sign in with your firebase user credentials (email/password in my case)
2. Now make a request to your backend API accessing an endpoint that will modify the user's email.
3. After this, the front-end app will indicate that the user needs to reauthenticate with firebase when trying to use the old token to make firebase requests.
4. Yet on the backend application, the front end can still send the old token to my backend API and the verifyIdToken method still validates the token and proceeds.

[google-oss-bot]

I found a few problems with this issue:

• I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
• This issue does not seem to follow the issue template. Make sure you provide all the required information.