7

I am using firebase cloud functions and at the first time I saw cors then set origin to true.. but in that way anyone can access to my functions, so I looked a way to allow only specific domains to access my cloud functions, I got the code from cors github page and tried it, but I get unexpectedly closed the connection after waiting and waiting.

here is my function index.js --

const functions = require('firebase-functions');
const cors = require('cors');

var whitelist = ['http://example1.com', 'http://example2.com']
var corsOptionsDelegate = function (req, callback) {
  var corsOptions;
  if (whitelist.indexOf(req.header('Origin')) !== -1) {
    corsOptions = { origin: true } // reflect (enable) the requested origin in the CORS response
  }else{
    corsOptions = { origin: false } // disable CORS for this request
  }
  callback(null, corsOptions) // callback expects two parameters: error and options
}

exports.api = functions.https.onRequest((req, res) => {
cors(req, res, () => {  
    var d = new Date();
   var n = d.getHours();
  if (n > 8 && n < 17) {
    res.status(200).send("Get started")
  } else {
    res.status(200).send("Closed")
  } 
})
});
Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
user7716943
  • 485
  • 5
  • 15
  • 1
    You're defining a function called corsOptionsDelegate, but you're not doing anything with it. Seems to me that function has to be passed somewhere. – Doug Stevenson Jun 23 '17 at 02:22
  • okay but im newbie to this I don't know how to do it, or maybe if there is a way to allow only authenticated users to acess – user7716943 Jun 23 '17 at 02:50
  • 1
    Possible duplicate of [Secure HTTP trigger for Cloud Functions for Firebase](https://stackoverflow.com/questions/43238611/secure-http-trigger-for-cloud-functions-for-firebase) – David Jun 25 '17 at 15:33
  • 1
    Did you ever get an answer to this - apart from the usual "possible duplicate" comment.... – Drenai Dec 23 '17 at 15:08
  • You can use Authentication headers to only allow authenticated users to access the function, see answer here: https://stackoverflow.com/a/43239529/8209335 – mikat Jun 25 '17 at 15:09

1 Answers1

5

With an HTTP triggered function on Firebase Cloud Functions the cors middleware origin parameter will be undefined, as will be the request header Origin value:

var whitelist = ['https://example1.com']
var corsOptions = {
  origin: function (origin, callback) {
    console.log(origin) // undefined
    if (whitelist.indexOf(origin) !== -1) {
      callback(null, true)
    } else {
      callback(new Error('Not allowed by CORS'))
    }
  }
}

app.get('/products/:id', cors(corsOptions), function (req, res, next) {
  console.log(req.header('Origin')) // undefined
  res.json({msg: 'This is CORS-enabled for a whitelisted domain.'})
})

unless you set the Origin header yourself when you make the request to the function. For example:

await http.get(
  'https://example1.com/yourfunction',
  headers: {
    "Origin": "https://example2.com",
  },
);

The problem is that anyone can write the above request (the Origin header can be faked), so as this post suggests a more fool-proof way to verify access is by sending something like the token that Firebase Auth generates when you sign in (or you can provide the sending party with a secret key they would need to send):

await http.get(
  'https://example1.com/yourfunction',
  headers: {
    "Authorization": "Bearer your_api_token_here",
  },
);

You would then verify that it's legit in the Cloud Function (instead of checking the potentially fake origin).

galki
  • 8,149
  • 7
  • 50
  • 62