1

TLDR/My question: Is there a way to disable the auto-generated endpoints for Firebase Functions?

I've followed the instructions here so that my Firebase functions are available at custom endpoints (e.g. mydomain.com/api/function1). I then went ahead and successfully configured an API rate limiter with Cloudflare on that domain pattern (which I have DNS control over) and verified that it works correctly as expected.

The only problem this leaves me with is that the default URL for my function (e.g. us-central1-my-hosting-project.cloudfunctions.net/function1) that is automatically provided by Firebase remains unprotected.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
pinglock
  • 982
  • 2
  • 12
  • 30
  • As a followup to my question: It seems that whenever I use my custom endpoint, a `referer` header is included with the custom endpoint as the value. Is it safe to rely on the presence of this `referer` header to determine whether or not the function invocation should be accepted? This is the only viable solution I've come up with so far. – pinglock Dec 18 '20 at 00:35
  • [This thread](https://stackoverflow.com/questions/8319862/can-i-rely-on-referer-http-header) could help address your followup question – Donnald Cucharo Dec 18 '20 at 06:01
  • Thank you @DonnaldCucharo. Sadly, that thread steers me away from using the one viable solution I've come up with. Hopefully someone will have a better recommendation for my original problem. – pinglock Dec 18 '20 at 22:42

2 Answers2

1

You want to change the "Cloud Functions Invoker" permissions.

Right now, it likely says

"allUsers" and "allAuthenticatedUsers"

Firebase doesn't display this information - but if you:

  1. Go to the main Cloud Functions menu in the GCP console.(console.cloud.google.com/functions)
  2. Select the checkbox on the left of the function you want to adjust permissions for.
  3. Look to the right side of the screen, you will see some permissions populate when you check the box.
  4. Look under role/member, you will see "Cloud Functions Invoker"; mine here says "allUsers" (I can't post images but, trust me, it's glorious).
  5. You can delete this line - it will make the function non-public.
  6. You will have to allow for something to invoke the function for it to function (service account, etc).
mcd
  • 706
  • 4
  • 25
Eric E
  • 199
  • 6
0

You won't be able to do this with GCP tools, at least for now.

What you can do as an alternative is to check the Host header of your request and return an error if it's not providing your custom domain.

You should be able to get the host header through Request.hostname

Community
  • 1
  • 1
Donnald Cucharo
  • 3,866
  • 1
  • 10
  • 17