1

I am building a Flutter Android app where an user can sign in with a customToken. I have a (Google) Cloud Function that I use to generate a customToken which is sent back to the client (Android App) to sign into Firebase. (the auth provider is not supported by Firebase as of yet - not to my knowledge anyway)

For security and cost-savings purposes, I want to only allow the Cloud Function to be accessed by authorised users, and hence, I removed the allUsers member as a Function Invoker role.

I then created a service account (within the same Firebase project) and gave it the Function Invoker role. The problem now is how do I "authenticate" the client (Android App) to access this function, without being signed in (since you need the customToken to sign in), and also without saving credentials on the client?

Or am I approaching this problem the wrong way? Should that Cloud Function be public? My knowledge of Firebase, Cloud Function and security is also very limited, so any advice/suggestion would be greatly appreciated.

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
thats_nice
  • 21
  • 4

1 Answers1

1

Cloud IAM user permissions (such as allUsers and service accounts) don't have anything to do with Firebase Auth users.

Cloud Functions that need to be directly accessible by web and mobile clients must have IAM allUsers permission. They don't need a service account for permission.

If you need to check the Firebase Auth user account that's invoking the function, the client will need to pass an ID token to the function, and the function will need to verify that token with the Firebase Admin SDK in order to find out who the user is, then decide if the should be able to continue execution. This process is described in more detail in the documentation.

If you aren't using Firebase auth, there's not much else you can do from a security perspective, as you would have to include the credentials in the app itself, or otherwise make those credentials publicly available, which is not secure at all. Or in other words, you can't limit access to your function from just your own app code.

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
  • Thanks for the answer. As a follow-up question, are there mechanisms to prevent abuse of the function? I.e.: a hacker gets hold of the url to the function and spams it - I can prevent the hacker from getting authenticated through checks etc. but it will still drive my costs high because of the invocations - or won't it? – thats_nice Aug 01 '20 at 22:05
  • This is a FAQ. There are no controls for this. Your only option is to set a budget alert. https://cloud.google.com/billing/docs/how-to/budgets – Doug Stevenson Aug 01 '20 at 22:22