不要创建接受uid并返回自定义令牌的HTTP端点.这是一个巨大的安全漏洞，因为任何攻击者都可以假冒任何知道其uid的用户. 您需要执行以下操作:

Don't create an HTTP endpoint that accepts a uid and returns a custom token. This is a huge security vulnerability as any attacker would be able to impersonate any user knowing their uid. What you need to do is the following:

1. 实施Paypal OAuth代码流程.您可以为此使用第三方库.
2. 获得贝宝OAuth授权代码后，将其发送到后端，您使用贝宝客户端ID和密码来交换贝宝刷新令牌和访问令牌.然后，您可以获得与该贝宝用户相关联的用户信息，包括他们的贝宝uid.然后，您将使用Firebase Admin SDK创建一个Firebase自定义令牌，并将其返回给客户端.
3. 在客户端上，您将signInWithCustomToken使用该自定义令牌完成登录.

1. Implement a paypal OAuth code flow. You can use third party libraries for that.
2. When you get the paypal OAuth authorization code, you send it to your backend, you use the paypal client ID and secret to exchange for a paypal refresh token and access token. You can then get the user info associated with that paypal user including their paypal uid. You would then mint a Firebase custom token using the Firebase Admin SDKs and return it to the client.
3. On the client you would signInWithCustomToken to complete sign in with that custom token.

在这种情况下，您将公开一个HTTP终结点，该终结点采用授权代码并返回Firebase自定义令牌.

In this case you are exposing an HTTP endpoint that takes an authorization code and returns a Firebase custom token.

这是基本思想(不包括细节).当然，您仍然必须通过传递某种状态来确保流在同一设备上开始和结束，然后检查是否最终将其取回.您还必须确保使用诸如应用程序链接等之类的东西将身份验证代码返回到正确的应用程序.Firebase动态链接在那里可能会有所帮助.

This is the basic idea (details excluded). Of course you still have to ensure the flow starts and ends on the same device by passing some state and then check that you get it back in the end. You also have to ensure the auth code is returned to the correct app using something like app links, etc. Firebase Dynamic Links can be helpful there.