0

This is how I'm currently checking if user is authenticated within the onCall function before triggering the logic:

exports.foobar = functions.https.onCall(async (data, context) => {
  if (!context.auth) {
    throw new functions.https.HttpsError(
      'unauthenticated',
      'You must be authenticated'
    )
  }
  // Now user is authenticated
}

The problem with it is that even the user is not authenticated (eg some third-party agent) it still counts as a call, hence I will be billed for it.

It opens up a scenario when my app could be a subject of a DDoS attack, and since there is no way to limit my expenses in Google's Firebase console, potentially there is no limit to how big the bill could be.

So, I'd like to know how to protect the endpoint, like if there is a way to limit the function call only to authenticated users, without getting billed for the verification step.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Be Kind
  • 4,712
  • 1
  • 38
  • 45
  • 1
    I addressed this specific case here. Spoiler: it's not ideal, but you can. [How to protect firebase Cloud Function HTTP endpoint to allow only Firebase authenticated users?](https://stackoverflow.com/questions/42751074/how-to-protect-firebase-cloud-function-http-endpoint-to-allow-only-firebase-auth) – ultraGentle Apr 25 '22 at 13:11
  • @ultraGentle I know that page and it is not related to my case, since I'm interested in validating users PRIOR to function call. Regarding your answer - "it only works with Google-account based authentication.". Correct me if I'm wrong, but that means your solution works only if users are logging in with "Google Sign-In" button? My case is related to firebase authenticated users in general, without any hard limitations on auth provider. – Be Kind Apr 25 '22 at 13:48
  • @ego There is no way to prevent the call based on the Firebase user, as that user is unknown to the Google Cloud Infrastructure. The question ultraGentle linked is the idiomatic source for this topic, and the closest you can do is indeed locking down based on Google sign-in user. – Frank van Puffelen Apr 25 '22 at 14:26

0 Answers0