Can a call to a Firebase https function directly from client side be intercepted?

Question

So now that we can call HTTPS functions directly from client side, I'm wondering if I can use it for sensitive transactional requests and if it's safe. Before I was using forms with POST method but this could make things much simpler.

Is the call from the beginning to the end encrypted?

Answer 1

It may not be obvious at first, but you're asking a lot of questions here. It may take some time to unwind your concerns

First of all, both Cloud Functions HTTPS functions and callable functions are encrypted. In fact, all traffic in and out of Google is encrypted. That is the norm, and you can't even disable that if you wanted to. However, encrypted traffic doesn't necessarily mean that it's "safe". Encryption just guarantees that there can be no man-in-the-middle attacks that are eavesdropping or changing the content on the way in or out.

Encryption doesn't prevent someone from simply invoking the function directly from their own code. For HTTPS and callable functions, it's very much possible for anyone to invoke your function directly. There are no requirements that the call must be coming from your app or your web site. If this is a requirement for you, you need to perform some checks in your function itself to ensure that the call is valid.

With HTTP type functions, you can require that the caller send an authentication token with the request. Then, you can validate the token in your function, and proceed only if everything looks OK to you. There is an example of this in the official samples.

With callable type functions, an authentication token is automatically added if the user is logged in with Firebase Auth. The token is automatically validated as well. All you have to do is check to see if the user is allowed to do whatever it is the call wants to do.

"Safety" is not just about encryption. It includes both authentication and authorization as well.