How can an HTTPS call implemented with Firebase functions be secured? If a hacker knows the url he can call it easily. Are there any systems like api keys, app secrets to make this secure? What are the risks to consider?
Firebase gives direct access to Firestore from an app using the Firebase SDK, and that access is protected by security rules that you deploy to your project.
onRequest creates a standard API endpoint, and you'll use whatever methods your client-side code normally uses to make. HTTP requests to interact with them. onCall creates a callable. Once you get used to them, onCall is less effort to write, but you don't have all the flexibility you might be used to.
You can connect an HTTP function to Firebase Hosting. Requests on your Firebase Hosting site can be proxied to specific HTTP functions. This also allows you to use your own custom domain with an HTTP function.
Configuring CORS (Cross-Origin Resource Sharing) request has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. You can also explicitly disable CORS by setting the cors option to false for your function.
Updated following your comments.
If you need to limit access to your Cloud Functions to authenticated users:
There is a sample in the official set of Cloud Function samples on GitHub which "shows how to restrict an HTTPS Function to only the Firebase users of your app". Here is the link: https://github.com/firebase/functions-samples/tree/master/authorized-https-endpoint
In addition, Firebase recently released the new HTTPS Callable functions, which "are similar to other HTTP functions, with [some] additional features, ... [including] ... Firebase Authentication. Here is the link to the documentation: https://firebase.google.com/docs/functions/callable
If you only want to "secure" your Cloud Functions "based on an api key or secret (hardcoded in the app)" since they "should be called without any user being logged-in":
Since you have access to the HTTPS request
object in the Cloud Function you can add to the headers (or to the body in case of a POST) any "secret value" or "api key" and read it in the Function. However, if you need a revoking mechanism, it's up to you to implement it.
Finally, I would suggest you read this recent answer from Doug Stevenson from the Firebase team: How do you made Google Cloud Functions only worked when pinged from certain URLS?
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With