Only allow Cloud Functions to be called in my app code

Question

I only want my Cloud Functions to be called from code within my app.

Every onCall() Cloud Function provides the context variable, which gives information on how or where the call was made from:

exports.beginRound = functions.https.onCall(async (data, context) => {
    if (context.auth.uid === null){ return 404 }

My question is: is the above line enough to prevent function calls outside of my app?

It should only let the function proceed if the user is authenticated. And the user should only be authenticated if they're using my app, right?

I'd just like to clear this up.

Thank you

Answer 1

is the above line enough to prevent function calls outside of my app?

What you have checks to see if the user has been authenticated using an enabled auth provider enabled by your project. There is nothing more than that.

The request could be coming from anywhere. It doesn't have to come from your app. As long the user has authenticated and has a token that validates their identity with an enabled provider, they will be able to invoke this function and bypass the check.

Practically speaking, most access will come from your app, but in terms of security, be aware that the request does not technically have to originate from the client app code. App code is fundamentally insecure and could be compromised. The request could have used public APIs to auth the user, get a token, and pass it along using the callable protocol.