I've a Firebase Function making a request to a Google API https://maps.googleapis.com/maps/api/directions/json which should be allowed on the Spark plan because it's a Google API.
But in the logs it says this:
Billing account not configured. External network is not accessible and
quotas are severely limited. Configure billing account to remove these
restrictions
I found this weird because the Spark plan has this note for Cloud function:
The Spark plan allows outbound network requests only to Google-owned
services. Inbound invocation requests are allowed within the quota.
The question here is: "is this a common issue or am I missing something here?"
Related
I have a Node.js API (built with Express.js) hosted on Firebase Cloud Functions and an accompanying web application hosted on Firebase Hosting which is supposed to interact with the aforementioned API.
I would like to restrict calls to the API so that only the web application would be able to call the cloud functions. How can I achieve that?
What I have tried:
using the App Check or more precisely Google's reCAPTCHA v3 for web apps. I have whitelisted the domain of the web application and have activated App Check token validation server side as well. The problem with App Check, however, is that I am able to obtain the reCAPTCHA attestation token from the browser (after authenticating through the web app) and use that with requests made from anywhere. This enables bombarding the API from outside the web application and defeats the purpose of using App Check in the first place.
Something to note here, the documentation for activating App Check in Cloud Functions instructs the usage of functions.https.onCall(). However, since my API is built using Express.js, I had to use a workaround to be able to use functions.https.onRequest() as instructed here.
restricting the Cloud Function from Google Cloud console to allow only clients of the same project to call the function as instructed here. Unfortunately, my web application hosted on Firebase Hosting does not seem to belong under the same Google Cloud project. Apps hosted on Firebase Hosting do not appear in Google Cloud console. Furthermore, after adjusting the Ingress settings of the functions to "allow internal traffic only", I am receiving CORS errors when attempting to access the API through the web application. I am unable to access the API from anywhere else though, which is partly the desired outcome.
Before anyone proposes limiting the domains in CORS options from within the API, while this might serve the purpose of restricting access to the API endpoints, it still would allow calling the function rapidly and thus, potentially, racking up the bill.
I am grateful for any suggestions!
Firebaser here.
This is a great question! Doug has already made some great points above, and I'll just add to that by saying that the TTL on App Check tokens reduce the replay window that you observed in your first bullet point, and this TTL is configurable.
The default TTL for reCAPTCHA v3 is 1 day to protect against running out of quota, but you can set a shorter TTL to increase the cost for an attacker trying to set up a replay attack. But please do be mindful of the associated trade-offs as described in the documentation. You can read about the associated quotas and limits here.
Unfortunately, web applications redirected from Firebase Hosting can't hook up to the GCP internal network. App Check is actually exactly what you are looking for in this situation.
Finally, because we are continuously working on improving the App Check platform, the comments you leave here are valuable for us as we decide on what anti-abuse features we want to work on next.
Does accessing Firestore through Firebase cloud functions routes requests through Google internal network ?
Yes, request between Firestore through Cloud Functions use Google internal network to route its packages.
To provide a little bit more of context, as mentioned at locations on Firebase, Firebase uses GCP resources which are created as needed, this means that it also creates a VPC network as with any GCP project. As mentioned at VPC network overview, Google uses the internal network for resources in the same VPC network so in short, yes, Firebase end up using the Google internal network when communicating between functions and Firestore
Let me know if the clarified your doubts!
In Google Firebase pricing (https://firebase.google.com/pricing/) table states:
The Spark plan only allows outbound network requests to Google-owned
services.
Does it mean that JS function in web browser (client) page can't call Firebase function and retrieve data in FREE TIER?
firebaser here
Good catch, that piece of documentation probably should be clarified.
Inbound requests are allowed, as long as you're within your allowed quota. So your app can call a Cloud Function.
Outbound requests for projects on the free plan are only allowed to Google-owned services. So your Cloud Function code can only call google owned web APIs, unless it's on a paid plan.
Update: the above applies up to Node.js runtimes up to v8. From Node.js 10 and upwards your Firebase project needs to be on a paid plan to be able to use Cloud Functions. For full details on this, see the Firebase FAQ on Cloud Functions pricing.
At lowest possible costs (USD 11.53) it is better to have Blaze plan and use REST calls to Firebase functions freely:
no, they do not talk about JavaScript Functions, they talk about serverless computing functions
https://firebase.google.com/features/functions/
theses functions can make only make http calls to Google Services and e.g. not to Yahoo or Amazon services
I have a simple web site hosted in Firebase and it is making AJAX calls to REST API endpoints in GCP Cloud Run.
I would like to limit these endpoints only to the calls coming from this site hosted in Firebase. Any call coming from any other origin should not be able to use the endpoints. What is the best way to do this?
When I was not using GCP Cloud Run, I was doing a host check on the API side to make sure that request is coming from my client but now with Cloud Run this is not possible. What else could be done?
Please note that the web-site hosted in Firebase is very simple and do not do any user authentication.
Challenge: Restrict access to a Cloud Run service to a single web application, without relying on:
Restricting access to the web application
Imposing authentication on users
This difficulty is not specific to Cloud Run. It's a general challenge for static sites backed by APIs, and a reason why many sites have authentication. As mentioned in the question comments, a server-side "host" check is not a meaningful security layer, as everything in the HTTP request can be faked. I strongly recommend you not worry about keeping your API private or add user authentication to keep the system simple and access accountable.
If that's not possible, you can still take the authentication approach by creating a single user, embedding the credentials in the site, and rotating them regularly (by redeploy to Firebase Hosting) to prevent credential theft from having indefinite access to your API. Having Firebase Auth in the middle is better than a simple API key because it prevents replay attacks from accessing your API.
Our client is hitting their API call quotas for Analytics and trying to troubleshoot with their Dev team.
How can we help the client access their daily usage number to understand how much they are exceeding their quota?
The Google API console, which apparently has been renamed to "Google Cloud Platform", displays usage information in the API&Services-Section of your project.