3

I am using Firebase in order to send push notification, Firestore database to store user informations and notification send and a cloud function which will interact with external API call in order to do tasks.

All is working good... To good...

In fact, when I call the cloud function URL without being authenticated it works. The worst: when I enter the cloud function URL on Google it works and return me elements of my Firestore database!

So the URL cloud function is PUBLIC and if someone find the URL cloud function, he can have access to the Firestore database and can read and write inside it.

I looked through the internet all the possibilities to restrict access to the cloud function URL only for users who can used it but nothing compelling.

Can someone help me to find a proper solution for this critical problem?

Hope this post will help someone in the futur

Thanks

Renaud Tarnec
  • 79,263
  • 10
  • 95
  • 121
Idriss
  • 31
  • 6

1 Answers1

4

You will find in the list of the official Cloud Function Samples an example on how to "restrict an HTTPS Function to only the Firebase users of your app".

See here: https://github.com/firebase/functions-samples/tree/master/authorized-https-endpoint

Another possibility is to transform your HTTP Cloud Function in a Callable one. As explained in the doc, "with callables, Firebase Authentication and FCM tokens, when available, are automatically included in requests."

However, this only makes sense if you call the Cloud Function from you app. If you have to call it through its URL (like a "standard" REST API) this will not make things easier.

Renaud Tarnec
  • 79,263
  • 10
  • 95
  • 121
  • Thanks for your response, I am going to test it and share if it works or not. However, is there an easy way like assign a role to the cloud function in order to restrict it to IAM users? – Idriss May 23 '19 at 13:48
  • 1
    "However, is there an easy way like assign a role to the cloud function in order to restrict it to IAM users". From what I know, the answer is no. The way to restrict access only to authenticated users for an HTTP Cloud Functions is the one explained in the sample. – Renaud Tarnec May 23 '19 at 13:50
  • Thanks for the answers and your time Renaud – Idriss May 24 '19 at 10:03