So now that we can call HTTPS functions directly from client side, I'm wondering if I can use it for sensitive transactional requests and if it's safe. Before I was using forms with POST method but this could make things much simpler.
Is the call from the beginning to the end encrypted?
It may not be obvious at first, but you're asking a lot of questions here. It may take some time to unwind your concerns
First of all, both Cloud Functions HTTPS functions and callable functions are encrypted. In fact, all traffic in and out of Google is encrypted. That is the norm, and you can't even disable that if you wanted to. However, encrypted traffic doesn't necessarily mean that it's "safe". Encryption just guarantees that there can be no man-in-the-middle attacks that are eavesdropping or changing the content on the way in or out.
Encryption doesn't prevent someone from simply invoking the function directly from their own code. For HTTPS and callable functions, it's very much possible for anyone to invoke your function directly. There are no requirements that the call must be coming from your app or your web site. If this is a requirement for you, you need to perform some checks in your function itself to ensure that the call is valid.
With HTTP type functions, you can require that the caller send an authentication token with the request. Then, you can validate the token in your function, and proceed only if everything looks OK to you. There is an example of this in the official samples.
With callable type functions, an authentication token is automatically added if the user is logged in with Firebase Auth. The token is automatically validated as well. All you have to do is check to see if the user is allowed to do whatever it is the call wants to do.
"Safety" is not just about encryption. It includes both authentication and authorization as well.
The documentation you refer to explicitly mentions that Callable Functions are HTTPS ones, so yes the call is encrypted from end-to-end.
The Cloud Functions for Firebase client SDKs let you call functions
directly from a Firebase app. To call a function from your app in this
way, write and deploy an HTTPS Callable function in Cloud Functions,
and then add client logic to call the function from your app.
Related
I need to implement a scenario where, after a file is uploaded to Google Cloud Storage, a function is triggered and processes the file. In this case, processing basically means sanitizing the file, storing it into Firestore and making it accessible via another HTTP-triggered function (a REST API of sorts).
Both user-facing ends of this process (a file upload and HTTP function) need to be secured. The process will be used in server-to-server scenario: one side is going to be a backend written in either Node.js or .NET, the other will be my Firebase solution (Cloud Storage and HTTP-triggered function as per above). In Firebase, I am going to maintain a custom set of users that should have access to the system - my idea was to use a simple system where each user will have a client id and a client secret (basically an oAuth client credentials grant type).
Based on what I read online, an only option to implement this is to use [Firebase auth with custom tokens][1]. I found lots of examples online on how to do that, but it was always about client-to-server scenarios (e.g. a Javascript web app talking to REST API). Server-to-server scenarios were not mentioned anywhere and indeed, I am unsure how to go about implementing it - I can call auth.createCustomToken(uid) just fine in my HTTP Firestore function, but there seem to be no server-side libraries I could use to call auth.SignInWithCustomTokenAsync(customToken).
To sum it up:
How can I use Firebase auth with custom tokens in server-to-server
scenario, where I need to sign in using a previously generated
custom token from a server environment?
If it is not possible,
what's the other alternative to securely implement the
above-described architecture?
I've contacted Google Support and if anyone else is struggling with this, in server-side scenarios, recommended approach is to call signInWithCustomToken endpoint in Firebase Auth REST API.
I have made my mobile app using firebase on iOS & I use callable functions to communicate with database.
When I try to perform a “man in the middle” attack/move using a simple app as Charles, I can see all my calls with the data I send, in plain text. When I use a well know app like iTunes I cannot decrypt anything (which I think is what we call ssl pinning)
I have 3 questions:
does firebase cloud functions (https.callable) handle ssl pinning ?
if not how can I protect from this ? Using node for my function, is it possible to request a ssl certificate from firebase and link it to functions ?
Does the mobile Sdk request are pinned ? I cannot see anything about read calls on my sniffing app.
Thank you all.
As per this post here by Doug, all data in and out of Google is encrypted (including the client SDKs). There is simply no way around this.
Now, you can take this a step further and prevent abuse by configuring App Check which, according to the documentation, provides an additional layer of security against billing fraud and phishing.
However, you will still need to check the authentication token (automatically passed in with onCall functions) to make sure the user is authorized to execute the functions they are calling.
Is it possible to protect firebase http triggered functions without auth and accept calls only from my firebase hosted app?
I want my web app to call firebase functions with unauthenticated users but I don't want this functions to be accessible from anywhere else.
This is not possible to enforce. All of your HTTP functions are accessible by all other clients out there, regardless of where they are in the world (unless something in their network is blocking them).
You could certainly make an attempt to guess if a request did not originate from your web site (by looking at the referrer header), but that information can be easily spoofed by an attacker.
I am building some internal API for my apps/website with Firebase Functions. Internal API as in to let my apps/website to process something on server side, its doesn't mean to open to public use.
My Apps is built with ionic and website is built with angular.
I noticed the one of Firebase Functions Pricing calculation include "Invocations". Is that Invocations means every time when I call the API equal to 1 Invocation? If yes, then the API might be abused by end user, since they able to view the website source and found the API.
I been searching solution in google, some of them suggest to enable authentication and cors, to avoid abuse of the usage. But authentication and cors still counting the Invocations right?
My code structure:
client call API by get/post method, pass user TOKEN that get from Firebase Authentication
request reach the Firebase Functions
server will check the preflight info by using CORS, as well as validate the TOKEN.
Return error if didn't pass on the (3), else proceed to execute the function.
So I assume if end user inspect my web source code and get the API URL, they can simply spam my API right? Then my bill will burst because of the load of Invocations.
If you suspect that your project is being abused, which is always possible, contact Firebase support to work towards a resolution.
I'm building a React+Redux app, and using some firebase cloud functions which I call in an action creator. I was wondering, if I should save the cloud function url as an environment variable, since this code is on the client side? I already have cors implemented to only allow requestsfrom my domain.
Thank you
In general, you should always make sure that endpoints that can be called from a client are robust enough to be secure if publicly disclosed. Browser, Android, and iOS apps can all be inspected and disassembled to discover outgoing request URLs.
"Security through obscurity" can buy you time, but is not in and of itself a real means of protecting your application. Instead, you should make sure that the endpoint requires sufficient authorization (e.g. by using the Firebase ID token as per this sample).
In other words, there's no need to hide it because at the end of the day, you can't!