Reputation: 4283
Firebase Cloud Functions Secure HTTPS Endpoints with API key
I've looked at a few places, Including this post and the firebase panel
Is there no way to use these api's to secure these endpoints using an api key you create per client who uses your cloud functions?
I'm able to block every one putting a restriction on the Browser key, but I would like to create a new api key, and use that as a way to authenticate my endpoint for various clients.
Creating a new api key, and using that as a parameter in my query doesn't work (don't now if I'm doing anything wrong)
Is there a way to do this?
Upvotes: 8
Views: 5300
Answers (2)
Reputation: 1335
Option 1: handle authentication within the function
https://github.com/firebase/functions-samples/tree/master/authorized-https-endpoint
Adapt above to use clients/keys stored in firestore
Option 2: Use an an API Gateway
- Google Cloud Endpoints (no direct support for functions yet, need to implement a proxy)
- Apigee (higher cost, perhaps more than you need)
- Azure API Management (lower entry cost + easy to implement as a facade for services hosted outside Azure)
- there are more..
The above gateways are probably best for your use case in that the first two would let you keep everything within Google, albeit with more complexity/cost -- hopefully Endpoints will get support for functions soon. Azure would mean having part of your architecture outside Google, but looks like an easy way to achieve what your after (api key per client for your google cloud / firebase functions)
Here's a good walkthrough of implementing Azure API Management:
https://koukia.ca/a-microservices-implementation-journey-part-4-9c19a16385e9
Upvotes: 4
Reputation: 601
Not to achieve what you are after, as far as firebase and GCP is concerned your clients is your specific business problem.
One way you could tackle this (with the little information that is provided);
You need somewhere to store a list of clients + their API key (I would use firestore)
For the endpoints you want to secure with a client-specific API key you can include a check to confirm the header exists and also exists in your firestore client record.
Considerations:
- Depending on your expected traffic loads and the the number of firestore reads you'll be adding, you might want to double check this kind of solution will work for your budget.
- Is the API-key type solution the only option you must go for? You Could probably get pretty far using the https://github.com/firebase/firebaseui-web and doing user checks in your function with no extra DB read required. If you go down this path most of the user signup/ emails / account creation logic is ready to go. https://firebase.google.com/docs/auth/web/password-auth#before_you_begin
Curious to see what some other firebase users suggest.
Upvotes: 0
Related Questions
- How to protect firebase Cloud Function HTTP endpoint to allow only Firebase authenticated users?
- Firebase functions: Securing firebase https functions
- Cloud Function & client authentication during HTTPS Call using firebase admin Auth
- Secure Firebase REST APIs at a client level (not end user level)
- Securing Firebase Cloud Function HTTP Endpoint
- Secure HTTP trigger for Cloud Functions for Firebase
- How to secure firebase https function?
- Authenticate https-triggered cloud functions
- authenticated access to Firebase REST API within cloud functions
- Cloud Functions for Firebase secure calls from android app