Restrict access to Firebase Hosting content

Question

I'm building a set of rest APIs on firebase. I've generated docs with both swagger (for "external" docs) and jsdoc (for "internal" ones). Hence, from jsdoc, I have a bunch of HTML pages that I want to deploy onto FB hosting, but I want to restrict access to such pages only to some authenticated users.

For dynamic content, e.g. swagger-generated, I've easily solved as follows.

doc_fun.use(
  '/rest',
  basicAuth({
    users: {'user': 'password'},
    challenge: true,
  }),
  swaggerUi.serve,
  swaggerUi.setup(swaggerSpec)
)
exports.docs = functions.https.onRequest(doc_fun)

I'm looking for (possibly similar) solution for static content. Something like:

doc_fun.use(
  '/jsdoc', 
  basicAuth({
    users: {'user': 'password'},
    challenge: true,
  }), 
  express.static('public/jsdoc')
)

(which, of course, doesn't work)

Please check the below link. This might help you https://stackoverflow.com/questions/48753740/authentication-for-firebase-hosting — Arokya Nehrayous, May 11 '21 at 09:50

score 1 · Answer 1 · answered May 11 '21 at 12:14

1

You will find everything you need in this official Cloud Functions sample, which shows "how to authenticate access to a JSON API to only allow access to data for a specific Firebase user".

More precisely, it shows how the Express middleware "validates Firebase ID Tokens passed in the Authorization HTTP header".

answered May 11 '21 at 12:14

Renaud Tarnec

79,263
10
95
121

Thank you @Renaud, but my problem is making the cloudfunction access the 'public' hosting folder: I keep getting 404, also in the cloudfunction logs. – cionzo May 11 '21 at 15:00
1

If you generate the "static" files through the Cloud Function it should be ok. It seems strange to generate a static file on the fly but with Firebase Hosting I think it is the only way to do what you are looking for. – Renaud Tarnec May 11 '21 at 15:06

score 1 · Accepted Answer · answered May 11 '21 at 17:42

Inspired by the last comment by Renaud, I've managed to find a simple workaround.

I post it here so that, maybe, it can be useful to someone else.

I put my 'jsdoc' folder with all its HTML static content inside 'functions' one
I've set express.static path parameter to './jsdoc'

index.js:

doc_fun.use(
  '/jsdoc', 
   basicAuth({
     users: {'user': 'password'},
     challenge: true,
   }), 
   express.static('./jsdoc') //current folder is 'functions'
 )

firebase.json:

...,
"rewrites": [
  ...,
  {
    "source": "/docs/**",
    "function": "docs"
  }
],
...

And now http://my_project.cloudfunctions.net/docs/jsdoc/ is serving my static content only to authenticated visitors.

Restrict access to Firebase Hosting content

2 Answers2