5

How can an HTTPS call implemented with Firebase functions be secured? If a hacker knows the url he can call it easily. Are there any systems like api keys, app secrets to make this secure? What are the risks to consider?

Renaud Tarnec
  • 79,263
  • 10
  • 95
  • 121
HixField
  • 3,538
  • 1
  • 28
  • 54
  • Hey did you find a solution for this? Looking at the same thing – Dan May 22 '18 at 07:49
  • Yes, but its not implemented yet (otherwise I would post the code). My idea is just to "hardcode" an api key in the index.js and check it manually for each request (using a promise of course). Should not be to much work... – HixField May 22 '18 at 07:51
  • Could someone just see the api key directly in your code and use it themselves to make requests ? – Dan May 22 '18 at 07:53
  • Yes, thats always with api keys (/app secrets). But the idea is that when this happens you can invalidate the key while other keys (there can be multiple) would still keep on working. – HixField May 22 '18 at 07:55
  • What triggers you to know when to invalidate the key? – Dan May 22 '18 at 07:56
  • Good question :) I guess when I am alerted of hacking somehow. Could be that when the load reported by firebase (nbr invocations?) is unusual I guess. Or when I see my data popping up somewhere where I do not expect it... – HixField May 22 '18 at 08:09
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/171522/discussion-between-dan-and-hixfield). – Dan May 22 '18 at 08:14

1 Answers1

10

Updated following your comments.

If you need to limit access to your Cloud Functions to authenticated users:

There is a sample in the official set of Cloud Function samples on GitHub which "shows how to restrict an HTTPS Function to only the Firebase users of your app". Here is the link: https://github.com/firebase/functions-samples/tree/master/authorized-https-endpoint

In addition, Firebase recently released the new HTTPS Callable functions, which "are similar to other HTTP functions, with [some] additional features, ... [including] ... Firebase Authentication. Here is the link to the documentation: https://firebase.google.com/docs/functions/callable

If you only want to "secure" your Cloud Functions "based on an api key or secret (hardcoded in the app)" since they "should be called without any user being logged-in":

Since you have access to the HTTPS request object in the Cloud Function you can add to the headers (or to the body in case of a POST) any "secret value" or "api key" and read it in the Function. However, if you need a revoking mechanism, it's up to you to implement it.

Finally, I would suggest you read this recent answer from Doug Stevenson from the Firebase team: How do you made Google Cloud Functions only worked when pinged from certain URLS?

Renaud Tarnec
  • 79,263
  • 10
  • 95
  • 121
  • Ok, but that is not really applicable to me. I do have functions that should be called without any user being logged-in (not even anonymous). So I want to restrict it based on an api key or secret (hardcoded in the app?). No? – HixField May 13 '18 at 10:15
  • Why not adding an appkey/secret to each callable as a parameter and checking this manually in the cloud function code? If its hacked these could be revoked at least no? – HixField May 13 '18 at 10:22
  • You can indeed do that (since you have access to the `request` object in the Function). But it is up to you to decide if this mechanism is enough in terms of security. I would add, as Doug said in his answer, that CORS is also a possibility, if that suits your needs. – Renaud Tarnec May 13 '18 at 10:25
  • Saving keys in firestore and using request data to confirm that api keys exists seems decent way. but woulf implementing API gateway be better? – jasan Oct 14 '20 at 23:37