How to use Firebase Security Rules to secure Cloud Functions calls with Firebase Authentication?

Question

I'm starting deep on Firebase Security Rules and I'm following the Firebase Security Rules docs, but this document just says about Realtime Database, Cloud Firestore, and Cloud Storage options. There is a way to use Firebase Authentication to protect an invoke of a Google Cloud Function from Client-Side?

I'm trying to use a GC Function as a backend to access the Cloud SQL from a Web Application.

Answer 1

Cloud Functions generally use Admin SDK (or service accounts, application default credentials to access any other services like Cloud SQL) which has complete access to your Firebase project's resources and also bypasses all security rules. That being said you would have to authorize requests yourself. For example, if you are using onCall function:

export const fnName = functions.https.onCall((data, context) => {
  const { auth } = context
 
  if (!auth) console.log('User not logged in')

  const { uid } = auth; 
  // UID of user who called the function
   // Check if user has access to requested resource
  // process request
})

If the caller of function is not authenticated, then context.auth will be undefined.

---

If your question is if you can prevent the invocation of function at first place, then there's currently no way to do so. You can use Firebase App Check to ensure the function is called from your registered application only.