How to securely pass time based credentials to google cloud functions? - firebase

I'm searching for an efficient way to store credentials inside google cloud functions that are only valid for 30 days.
My current approach is to set the username and password with firebase functions:config:set service.username="username" service.password="password" and sign the service in and write the response with credentials to the os.tmpdir()/creds.json.
The problem with this approach is that the os.tmpdir()/creds.json is deleted every x seconds (maybe due to cold starts). Is there a more efficient approach then just signing in the service every time or making a additional request to the cloud firestore to retrieve/store the credentials?

Cloud Functions server instances are short-lived, as you have observed. I wouldn't store anything in those instances, other than what you might use temporarily as an optimization.
Instead, you will need to use some persistent storage, such as a database or Cloud Storage. You don't have to make a request to it every time, just as often as a new server instance is allocated to handle load.

Related

Caching in firebase

I have my app hosted in firebase and using cloud functions to fetch data from a third-party API. This cloud function is HTTP triggered and runs whenever client-side requests data. I want to reduce cloud functions calls (as it is currently on Blaze plan), so thinking to add caching in my app.
What are the caching strategies I can use on the client (web browser) as well as server-side (Node.js)?
Overall I want to reduce cloud function calls to minimize costs, so that on every client request, cloud function doesn't need to be called, instead the client can fetch data from cache.
Should I use firebase real-time database for storing data from third-party API and update this in firebase over a period of time, so that data is up-to-date? Data on the third-party side doesn't change frequently.
Whether fetching data from real-time database (as mentioned in point 3 above) instead of cloud function calls would eventually reduce costs?
If you host your Cloud Function behind Firebase Hosting, you can write a cache header in every response and manage the cache behavior of Firebase Hosting that way. Allowing the content to be served from Firebase Hosting's CDN may significantly reduce the number of times your Function gets executed, and thus its cost.

Is it possible to only allow authenticated users to use callable function, without getting billed for invalid invocations?

I have a callable function that gets users auth data and validates it (inside the function), if user is not authenticated or allowed to do a certain action I throw respective error.
However nothing stops malicious actors to run a loop that constantly pings such function and rack up cost in terms of invocations / little bit of time those functions run.
Cloud providers like AWS have systems in place where this auth check is set up on an api gateway / loadbalancer level and users are not billed if someone calls functions with unexpected headers / payload or without authentication.
Does something like this exist for firebase, perhaps via google cloud?
No, it's not possible. The callable function must execute in order for the firebase-functions SDK to verify the user's ID token via the Firebase Admin SDK. It's not a "free" operation in any way. No matter how you write or deploy it, something is going to have to invoke the Firebase Admin SDK to verify the token - it's not part of any unbilled cloud infrastructure.

Firebase Cloud Functions setting environment configuration within a cloud function

I'm using cloud functions that call an external service that uses OAuth2 Security. Each invocation of my cloud function first, authenticates and gets an access token for the subsequent API call to the external service.
The access token expires in 30 mins, so to avoid token expiration, each invocation I get a new token.
I'd like to use the cloud function scheduler to get the access token and save it to the cloud function config, I can schedule this to happen every 25 mins. This would avoid each invocation requiring to first get an access token.
It does not look like the cloud function environment config allows programmatic updating of config within a cloud function.
https://firebase.google.com/docs/cli/#functions-commands
Anyone solved something similar?
UPDATE: As following further docs, the cloud function needs to be deployed again for the configuration update to occur. I think the solution to this question is likely a CI cronjob, that gets an access token, updates firebase cloud function configuration and redeploys the cloud functions.
I think that trying to update the configuration of the function, or redeploying the function altogether, isn't really the best idea here. You're probably better off just storing the information in a database or some other shared location, then each function can query that to get a hold of the token and its metadata as needed. The function can store the token in memory for as long as its known to be valid so that it doesn't have to be fetched for each invocation.

using cloud firestore and cloud functions within unity app safely

In my Unity project, I'm using simple web requests (POST requests) to store and retrieve information from the Cloud Firestore, and it is all working fine.
The POST requests are made to some Cloud Functions that do all the job in the database.
The thing is I'm using the database with all permission (read and write) granted to everyone.
I don't know how to safely allow this operations. What I mean by this is if I'm an user of the app (and I'm INSIDE the app), then I should be able to read and write from the database, but outside the app nobody should be allowed to do any modification in the database.
How can I secure my database within these constraints? I read about Firebase auth but I didn't understand.
You'll need to learn about Firestore security rules. It's a long and complex topic, and impossible to say for sure exactly what's required for your case. But you can start reading the documentation about it.

Cloud Functions: where to keep access token for API calls

I have created a Cloud Function which:
Receives some data
Calls a google API to verify the data are correct
Now, to call the google API I need to authenticate first. This will give me an access token (that expires) that can be used for subsequent calls.
I'm wondering where can I save this access token so that other invocations of the function can "see" it and use it. I know I cannot use a "global variable" as the function may run on different machines.
The obvious solution is to write it in Realtime Database... But I don't really like it, as someone could get access to it... Does Cloud Functions provide an object or something where I can write data into?
Cloud Functions are intended to be stateless, and there is no persistent storage it provides. Also, Cloud Functions could start up many server instances to handle your functions, so you will have to find a way to share data between those instances as they come and go.
Storing your token in the Realtime Database is probably your best option. As long as you're using security rules correctly, no one will be able to read it.

Resources