1

I am trying to pass some query params to my http function in Firebase in a secure way. My params are not really sensitive like passwords, etc, they are some booleans, etc that determines logic server side.

When I try a simple <form> with method GET or PUT the res.query shows the values not when I use POST. 

  <form id="form" action="https://us-central1-***.cloudfunctions.net/myfuncName" 
   method="post">
  <input type="text" name="id" value="test">
  </form>

I submit the form in Javascript by 

this.getElementById("form").submit();

in my function I have : 

function(req, res) {
    const param = req.query;
    console.log('query param is ' , param); //{} when form method is POST 
}

I expect to be able to get id from res.query in my function but I get null {}. If I change method to GET or PUT then I see {id:test}.

Any suggestion on enhancing the security of this would be appreciate too. Thanks.

TheBen
  • 3,410
  • 3
  • 26
  • 51
  • Please show the code you're using to handle this, and explain what exactly is not working the way you expect. – Doug Stevenson Feb 09 '18 at 20:54
  • Did you try different enctype values? https://stackoverflow.com/questions/4526273/what-does-enctype-multipart-form-data-mean – Tim Mickey Feb 09 '18 at 21:00
  • @TimMickey yes, just tried it with no luck. Tried all three variations 'text/plain" , 'application/x-www-form-urlencoded" , etc – TheBen Feb 09 '18 at 21:05
  • @DougStevenson , added a bit more info, hope that makes it more clear. I am trying to find the most secure way to pass on some flags and keywords in my request to get an http function triggered and process, say, a payment. – TheBen Feb 09 '18 at 21:06

1 Answers1

3

res.query allows you to get parameters coming from the query string of a request. A POST request doesn't use the query string, so you can't use res.query. POST sends parameters to the request body.

To access POST parameters in the request body that are coming form a form, you can use req.body as described in the Cloud Functions documentation.

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
  • Thanks a lot. I had totally missed it. Any chance you have a recommendation for a secure way to send uid as a param with the request to http functions? I'm using the user.getIdToken() that is supposedly safe but not entirely sure. – TheBen Feb 09 '18 at 22:02
  • I think it would be a good idea to ask a separate question and explain in more detail what your security concern is. – Doug Stevenson Feb 09 '18 at 22:21