72

With the latest Firebase Update callable functions were introduced. My question is whether this new way is faster than the "old" http triggers and if it is more secure.

I have no expertise in this field, but I think the HTTP vs HTTPS might make a difference.

This is interesting to me because if the callable functions are faster, they have that advantage, but their disadvantage lies in the nature of flexibility: They cannot be reached by other sources.

If the callable functions have no advantages in terms of speed or security I do not see a reason to switch it up.

creativecreatorormaybenot
  • 114,516
  • 58
  • 291
  • 402

1 Answers1

145

Callable functions are exactly the same as HTTP functions, except the provided SDKs are doing some extra work for you that you don't have to do. This includes, on the client:

  1. Handling CORS with the request (for web clients)
  2. Sending the authenticated user's token
  3. Sending the device instance id
  4. Serializing an input object that you pass on the client
  5. Deserializing the response object in the client

And on the backend in the function:

  1. Validating the user token and providing a user object from that
  2. Deserializing the input object in the function
  3. Serializing the response object in the function

This is all stated in the documentation. If you are OK with doing all this work yourself, then don't use callables. If you want this work done automatically, then callables are helpful.

If you need direct control over the details of the HTTP protocol (method, headers, content body), then don't use a callable, because it will hide all these details.

There are no security advantages to using callables. There are no speed improvements.

Taylor D. Edmiston
  • 12,088
  • 6
  • 56
  • 76
Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
  • 9
    I really appreciate this answer. I did not find anything like this in the documentation, that is why I asked in the first place. I think you are talking about ["Callable functions are similar to other HTTP functions, with these additional features: With callables, Firebase Authentication and FCM tokens are automatically included in requests. The functions.https.onCall trigger automatically deserializes the request body and validates auth tokens."](https://firebase.google.com/docs/functions/callable). I could not derive from that that there is no performance difference. – creativecreatorormaybenot Mar 25 '18 at 15:27
  • can I debug this locally? – Luis Ruiz Figueroa Jun 21 '18 at 02:26
  • @LuisRuizFigueroa no way to do that.. I've asked about that as well: https://stackoverflow.com/questions/51233554/firebase-how-to-debug-oncall-functions?noredirect=1#comment89449465_51233554 – kkost Jul 08 '18 at 22:44
  • 1
    @LuisRuizFigueroa it's possible now see https://stackoverflow.com/a/59077802/3073272 – GorvGoyl Dec 20 '19 at 20:44
  • 1
    Any price difference? – Dennis Liger Jul 07 '20 at 20:06
  • 7
    Great outline. There is now a security advantage, [App Check](https://firebase.google.com/docs/app-check), currently only available to callables: https://firebase.google.com/docs/app-check/cloud-functions – nsolent Jul 15 '21 at 22:45