CODEWITHSUNDEEP
firebasegoogle-cloud-functions
nixn
nixn

Reputation: 1478

Securing Firebase HTTP onCall-Functions

I have replaced my old unsecured, http-request-functions with with onCall-functions. I have read the documentary about the new features and that the client is automatically sending auth data in the context of the function. I wanted to know what should I do with that context.auth?

I am currently thinking that a guy who knows the url and the userID could fake a request if I simply compare the context.auth.uid with the userID in the database where something should happen. See code below.

    exports.sampleFunction = functions.https
      .onCall((data, context) => {
        const userID = data.userID;
        const authID = context.auth.uid;
        console.log("userID is: " + userID);
        console.log("request is authentificated? :" + authID);

        if (!userID || !authID) {
          console.log("wrong request");
          throw new functions.https.HttpsError(
            "OPERATION_FAILED",
            "OPERATION_FAILED"
          );
        } else if (userID !== authID) {
          console.log("is this save ?");
          throw new functions.https.HttpsError(
            "OPERATION_FAILED",
            "OPERATION_FAILED"
          );
        } else {
                 // Run the function
                const userPromise = admin
                        .database()
                        .ref("UserInfo")
                        .child(userID)
                        .once("value");
        }
    }

Upvotes: 1

Views: 682

Answers (2)

MuruGan
MuruGan

Reputation: 1420

What you can do is, check whether the user is logged in or not. This will help you to protect the functions.

Step 1: Before calling the http functions from the client side, attach the current logged user token to the http headers. see the below image.

enter image description here

Step 2: In the cloud functions, before doing the process for the http call a method which checks whether the user is logged or not and also the token id (currently logged user token Id). See the below image for how to validate the incoming http calls before processing it and return the response.

enter image description here

Step 3 : Just call the function on the http request. See the below image.

enter image description here

Note : For securing your data, like you should allow only the logged user and common data accessible to the currently logged user and not the sensitive data's. You should write it in Rules tab.

For your scenarios like user having the url, if he tries to access it in the browser tab, he'll get a error like saying "Sorry! You're authorized to access the url" if you use above mentioned method before accessing the services(Http Function).

Hope this helps you.

Upvotes: 2

Martin Zeitler
Martin Zeitler

Reputation: 76669

just an idea, but how about adding another one function, which updates a user's "API key" with a newly generated one (which is generated on another server) - and then uses that new one key for the following requests? a high frequency key rotation does not prevent anybody from obtaining such an URL, but it would render that information useless soon (where "soon" would mean the update frequency, as defined by the interval of the cronjob on that other server).

Upvotes: 2

Related Questions