Firebase Cloud Functions Secure HTTPS Endpoints with API key

Question

I've looked at a few places, Including this post and the firebase panel

Is there no way to use these api's to secure these endpoints using an api key you create per client who uses your cloud functions?

I'm able to block every one putting a restriction on the Browser key, but I would like to create a new api key, and use that as a way to authenticate my endpoint for various clients.

Creating a new api key, and using that as a parameter in my query doesn't work (don't now if I'm doing anything wrong)

Is there a way to do this?

Answer 1

Option 1: handle authentication within the function

https://github.com/firebase/functions-samples/tree/master/authorized-https-endpoint

Adapt above to use clients/keys stored in firestore

---

Option 2: Use an an API Gateway

• Google Cloud Endpoints (no direct support for functions yet, need to implement a proxy)
• Apigee (higher cost, perhaps more than you need)
• Azure API Management (lower entry cost + easy to implement as a facade for services hosted outside Azure)
• there are more..

The above gateways are probably best for your use case in that the first two would let you keep everything within Google, albeit with more complexity/cost -- hopefully Endpoints will get support for functions soon. Azure would mean having part of your architecture outside Google, but looks like an easy way to achieve what your after (api key per client for your google cloud / firebase functions)

Here's a good walkthrough of implementing Azure API Management:

https://koukia.ca/a-microservices-implementation-journey-part-4-9c19a16385e9

Answer 2

Not to achieve what you are after, as far as firebase and GCP is concerned your clients is your specific business problem.

One way you could tackle this (with the little information that is provided);

1. You need somewhere to store a list of clients + their API key (I would use firestore)

2. For the endpoints you want to secure with a client-specific API key you can include a check to confirm the header exists and also exists in your firestore client record.

Considerations:

1. Depending on your expected traffic loads and the the number of firestore reads you'll be adding, you might want to double check this kind of solution will work for your budget.
2. Is the API-key type solution the only option you must go for? You Could probably get pretty far using the https://github.com/firebase/firebaseui-web and doing user checks in your function with no extra DB read required. If you go down this path most of the user signup/ emails / account creation logic is ready to go. https://firebase.google.com/docs/auth/web/password-auth#before_you_begin

Curious to see what some other firebase users suggest.