This is probably a dupe, but I have been searching for days now and I can't seem to figure it out.
Setup is fairly easy:
I have a firebase front-end (Dart) app (Web/Android) that gets it's data from a Google Cloud HTTP Function backend.
When I deploy the GC function with option --allow-unauthenticated obviously it works without any problems.
Now I want to secure this function so that only logged in users can actually invoke the GC function. What I don't want is to deal with the hassle of user-administration, but (as far is I understand) this can be dealt with by Firebase completely.
Can anybody in a step-by-step procedure explain to me what I have to do to accomplish this? (No links to docs please, I have kinda read them all...)
I have succeeded in retrieving a token from the Google Cloud Identity Toolkit, but when I use this token in the Authorization Header of an HTTP call, I get permission denied.
Also I have tried to create a Service Account and associate it with the GC function, but how do I get a Firebase token for this account? (If I need it at all)
Related
I need to implement a scenario where, after a file is uploaded to Google Cloud Storage, a function is triggered and processes the file. In this case, processing basically means sanitizing the file, storing it into Firestore and making it accessible via another HTTP-triggered function (a REST API of sorts).
Both user-facing ends of this process (a file upload and HTTP function) need to be secured. The process will be used in server-to-server scenario: one side is going to be a backend written in either Node.js or .NET, the other will be my Firebase solution (Cloud Storage and HTTP-triggered function as per above). In Firebase, I am going to maintain a custom set of users that should have access to the system - my idea was to use a simple system where each user will have a client id and a client secret (basically an oAuth client credentials grant type).
Based on what I read online, an only option to implement this is to use [Firebase auth with custom tokens][1]. I found lots of examples online on how to do that, but it was always about client-to-server scenarios (e.g. a Javascript web app talking to REST API). Server-to-server scenarios were not mentioned anywhere and indeed, I am unsure how to go about implementing it - I can call auth.createCustomToken(uid) just fine in my HTTP Firestore function, but there seem to be no server-side libraries I could use to call auth.SignInWithCustomTokenAsync(customToken).
To sum it up:
How can I use Firebase auth with custom tokens in server-to-server
scenario, where I need to sign in using a previously generated
custom token from a server environment?
If it is not possible,
what's the other alternative to securely implement the
above-described architecture?
I've contacted Google Support and if anyone else is struggling with this, in server-side scenarios, recommended approach is to call signInWithCustomToken endpoint in Firebase Auth REST API.
I have a callable function that gets users auth data and validates it (inside the function), if user is not authenticated or allowed to do a certain action I throw respective error.
However nothing stops malicious actors to run a loop that constantly pings such function and rack up cost in terms of invocations / little bit of time those functions run.
Cloud providers like AWS have systems in place where this auth check is set up on an api gateway / loadbalancer level and users are not billed if someone calls functions with unexpected headers / payload or without authentication.
Does something like this exist for firebase, perhaps via google cloud?
No, it's not possible. The callable function must execute in order for the firebase-functions SDK to verify the user's ID token via the Firebase Admin SDK. It's not a "free" operation in any way. No matter how you write or deploy it, something is going to have to invoke the Firebase Admin SDK to verify the token - it's not part of any unbilled cloud infrastructure.
I'm working on a web app running on firebase services. I've created an express back-end running on Firebase Cloud Functions and hosted on Firebase Hosting. I am trying to add authentication so only users with permissions can access admin pages.
I tried implementing session cookies as described here. It was successful but unfortunately was vulnerable to CSRF attacks since Cloud Functions strips all cookies without the name __session from incoming requests so the proposed csrfToken cookie solution is impossible.
I then considered using Auth's persistence in the client's local storage and sending the token in the header of a GET request. Unfortunately, I have only found tutorials on how to do this for requests within scripts e.g. for APIs, not for GET requests directly from the browser to serve a page.
It seems that there should be a simple solution. Am I missing something? Is cloud functions not meant for serving web apps like this? Is there another way to protect against CSRF without cookies? If Cloud Functions still allows the __session cookie is it meant to be used for storing the user's Auth Token and if so does it protect against CSRF anyway?
Thanks
In the firebase Cloud Function you can implement your own Auth. However Firebase provided its own Authentication method. In the Cloud Function, it is simple use the ‘functions.auth.user().onCreate() ‘ method. You can refer to Extend Firebase Authentication with Cloud Functions documentation for samples.
As for your GET question, are you asking about how to programmatically extract the parameter from the URL? It'ss similar to this; you can pull the URL and substring the part that contain the token.
I am building some internal API for my apps/website with Firebase Functions. Internal API as in to let my apps/website to process something on server side, its doesn't mean to open to public use.
My Apps is built with ionic and website is built with angular.
I noticed the one of Firebase Functions Pricing calculation include "Invocations". Is that Invocations means every time when I call the API equal to 1 Invocation? If yes, then the API might be abused by end user, since they able to view the website source and found the API.
I been searching solution in google, some of them suggest to enable authentication and cors, to avoid abuse of the usage. But authentication and cors still counting the Invocations right?
My code structure:
client call API by get/post method, pass user TOKEN that get from Firebase Authentication
request reach the Firebase Functions
server will check the preflight info by using CORS, as well as validate the TOKEN.
Return error if didn't pass on the (3), else proceed to execute the function.
So I assume if end user inspect my web source code and get the API URL, they can simply spam my API right? Then my bill will burst because of the load of Invocations.
If you suspect that your project is being abused, which is always possible, contact Firebase support to work towards a resolution.
I am new on firebase cloud functions. I would like to ask a question about always running or self-triggering functions. How can we handle these things? How can we implement always running functions or self-triggering?
Google Cloud Functions are snippets of code that run in response to events that happen somewhere else. Some example events:
a HTTPS URL is accessed, either from application code, or in some other way
a User account is created on Firebase Authentication
a node is written in the Firebase Realtime Database
a message is sent to a Cloud PubSub topic
There is no concept on a forever-running function on Cloud Functions (nor on other, similar Functions-as-a-Service offerings), although it's definitely possible to create a function that gets triggered every minute or so (like a cron job).