0

I've developed a js to help users input there info in a form by fetching public data. Now I'm thinking to deploy it as kind of an API service.

Is it possible and safe enough for HTTP trigger of PaaS's like GCF and Amazon Lambda to be triggered only from specif domains I allow? Like js's fetching and reading its header's origin and check its domain.

I've considered generating passcodes per my customer and placing it in key.js in user's directory or env value, have my js file open on URL, let user website read the js with return of key.js in query param and check its validity.

But forms can be everywhere in cutomers tree, placing it in env for each custmomer can be bothersome at scaling.

Kantumrobot
  • 97
  • 7

2 Answers2

0

This isn't a native GCF feature, but you could try

  • Adding a filter in your GCF code (e.g. express.js) to check the requested domain
  • Making your GCF private and letting it ensure callers are authorized (GCP callers)
  • Run in Cloud Run, App Engine or another service with Identity Aware Proxy and screen out callers that way
Joseph Lust
  • 19,340
  • 7
  • 85
  • 83
  • Thank you for your answer. What is the problem with just checking if the requested domain in whitelist=true then return the result else return null or abort(403)? Won't this slow down the function? – Kantumrobot Oct 06 '21 at 21:40
  • If you're checking the `referer` header, then it won't slow things down. If you're doing a reverse DNS lookup against the `x-forwarded-for` IP address, then yes, it would slow things down. You could use Firebase Realtime Database to cache the IP -> domain lookups. @Kantumrobot – Joseph Lust Oct 07 '21 at 00:09
  • I now realized the [problem](https://stackoverflow.com/questions/44699856/how-to-allow-specific-domain-to-access-cloud-functions) of the origin being faked. I also learned that on Firebase Cloud Function 'request.ip' can give you IP but won't it be an IP of clients/users? Not the server domain of my scripts? – Kantumrobot Oct 07 '21 at 08:09
  • The `host` header will tell you the domain/path your GCF is running at. – Joseph Lust Oct 07 '21 at 20:59
0

you can use ReCaptcha v3, add the allowed domains that can access your function endpoint, and verify the token is valid on the function implementation.

reiniergs
  • 107
  • 3
  • Oh this is out of the box thank you but this is a prediction of company names, will work while users are inputting in a field, specifically if more than 2 letters are typed in. – Kantumrobot Oct 06 '21 at 21:32