Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Firebase functions: Securing firebase https functions

How can an HTTPS call implemented with Firebase functions be secured? If a hacker knows the url he can call it easily. Are there any systems like api keys, app secrets to make this secure? What are the risks to consider?

like image 643
HixField Avatar asked May 13 '18 09:05

HixField


People also ask

Are Firebase functions secure?

Firebase gives direct access to Firestore from an app using the Firebase SDK, and that access is protected by security rules that you deploy to your project.

What is the difference between onCall HTTP callable and onRequest HTTP request functions?

onRequest creates a standard API endpoint, and you'll use whatever methods your client-side code normally uses to make. HTTP requests to interact with them. onCall creates a callable. Once you get used to them, onCall is less effort to write, but you don't have all the flexibility you might be used to.

Does Firebase work on HTTP?

You can connect an HTTP function to Firebase Hosting. Requests on your Firebase Hosting site can be proxied to specific HTTP functions. This also allows you to use your own custom domain with an HTTP function.

How do you turn off Cors in Firebase?

Configuring CORS (Cross-Origin Resource Sharing) request has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. You can also explicitly disable CORS by setting the cors option to false for your function.


1 Answers

Updated following your comments.

If you need to limit access to your Cloud Functions to authenticated users:

There is a sample in the official set of Cloud Function samples on GitHub which "shows how to restrict an HTTPS Function to only the Firebase users of your app". Here is the link: https://github.com/firebase/functions-samples/tree/master/authorized-https-endpoint

In addition, Firebase recently released the new HTTPS Callable functions, which "are similar to other HTTP functions, with [some] additional features, ... [including] ... Firebase Authentication. Here is the link to the documentation: https://firebase.google.com/docs/functions/callable


If you only want to "secure" your Cloud Functions "based on an api key or secret (hardcoded in the app)" since they "should be called without any user being logged-in":

Since you have access to the HTTPS request object in the Cloud Function you can add to the headers (or to the body in case of a POST) any "secret value" or "api key" and read it in the Function. However, if you need a revoking mechanism, it's up to you to implement it.


Finally, I would suggest you read this recent answer from Doug Stevenson from the Firebase team: How do you made Google Cloud Functions only worked when pinged from certain URLS?

like image 183
Renaud Tarnec Avatar answered Oct 02 '22 16:10

Renaud Tarnec