0

This is what I am trying to accomplish: I have a static website hosted with Firebase Hosting and it has a Google Forms Form. Upon clicking the submit button, I want to also send the user an email confirming that we received the form. I have written a Firebase function using an HTTP endpoint. However, that endpoint is exposed to the public. Is there any way I can protect this function? I know that we can do an auth verification with a logged-in user but I don't need the visitor to create an account to submit the form.

Thank you!

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
J W
  • 107
  • 1
  • 10

2 Answers2

1

HTTP triggers deployed by the Firebase CLI are always accessible to anyone with an internet connection. The only access control is provided by Google Cloud to restrict access by IAM, which is not going to be helpful to you here.

What you should do instead is protect the endpoint to be accessible only by users signed in with Firebase Authentication. There are plenty of examples of this.

Callable functions also make it easy to check if the end user is authenticated at the time of the call.

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
1

Another possibility might be, to use req.headers["x-forwarded-for"] in order to compare the request's source IP address. It's not exactly a domain-check, because TCP/IP does not know about the DNS, but it still could be combined with a reverse lookup (or simply a list of IP address/es). It depends on the scenario (what the function actually does), because this would also work while not being authenticated. It is from where vs. who ...be aware the another Firebase hosting on the same IP address could not be told apart, but it would rule out direct access from the client-side .

Martin Zeitler
  • 1
  • 19
  • 155
  • 216