Cloud Functions: where to keep access token for API calls - firebase

I have created a Cloud Function which:
Receives some data
Calls a google API to verify the data are correct
Now, to call the google API I need to authenticate first. This will give me an access token (that expires) that can be used for subsequent calls.
I'm wondering where can I save this access token so that other invocations of the function can "see" it and use it. I know I cannot use a "global variable" as the function may run on different machines.
The obvious solution is to write it in Realtime Database... But I don't really like it, as someone could get access to it... Does Cloud Functions provide an object or something where I can write data into?

Cloud Functions are intended to be stateless, and there is no persistent storage it provides. Also, Cloud Functions could start up many server instances to handle your functions, so you will have to find a way to share data between those instances as they come and go.
Storing your token in the Realtime Database is probably your best option. As long as you're using security rules correctly, no one will be able to read it.

Related

How to use Firebase (or Firestore) as an intermediary between a desktop app and an external API endpoint?

I have a desktop app that will be distributed to users, and part of its code (which the user might be able to access) has to perform an API call to a third-party web service. However, this requires the API keys to be embedded into the source code, which causes some obvious security issues.
The main solution I've found while researching on the subject is to have a backend server between the user and the third-party API endpoint. So, I've been looking into Firebase for a while and it seems that this solution can be implemented using Firestore and Cloud Functions.
But, I wasn't able to find any clear examples that achieve something like this, and since I have no previous experience with Firebase or just backend programming in general, I would like to know if I'm on the right track and get more details about how to get it done, or if there are better alternatives for solving this issue. Any input is appreciated, thx.
You can use the firebase cloud functions as you mentioned. Your desktop application will be communicating with the cloud function - simple API call. Here you can find examples how to implement and deploy functions and test it locally https://firebase.google.com/docs/functions/get-started. Your cloud function will hold the API keys (it is backend so it will be secure if you dont expose it explicitly. Also the backend to backend communication is considered as secure). Finally, this cloud function will call the third party service and return some data back to the desktop app if needed. So you are on the right track, that is how the design should look like. If you need some help with cloud functions, you can also contact me directly.

Is Firebase Firestore real-time updates using Cloud functions possible?

Going through this blog, I could see that my app would be better off using the Firebase cloud functions for Firebase Firestore rather than directly accessing Firestore using client-side SDK.
I can implement the Firestore READ operation using get(), WRITE operation using set() or update() &
DELETE using delete() methods. All these one-shot operations are fine.
Is possible to implement addSnapshotListener to fetch real-time updates? If yes, how?
While it technically is possible to use addSnapshotListener, there are not a lot of use-cases where this makes sense.
Cloud Functions are short-lived, a maximum of 9 minutes, so not well suited for scenarios where you need to listen to the database for longer times.
Typically, you'll want to instead define a separate Cloud Function that responds to the thing you'd otherwise want to listen to.
Realtime listeners are not compatible with the way Cloud Functions works. Functions can only run for a limited amount of time and are shut down after that timeout expires. Database listeners are indefinite, and will continue listening until they are removed. If you add a listener inside a function, the system will still shut it down after the function timeout expires.
It's unclear to me why you need a listener in a Cloud Functions, but it's almost certainly not the right thing to do, given the way functions work.

Cloud Functions: Store Simple Shared Value Across Instances without Database/VPC?

Writing a firebase/google cloud function, and need to store an environment value for use across multiple function calls. That value expires and needs to be re-fetched on occasion and updated in production.
I'm looking for a lightweight option for that. Seems all the advice I can find is that you need to spin up a VPC and create a dedicated Redis instance... or you need to create a cloud database and store it there... I just need to save a simple string, and it seems like an awful lot of infrastructure to do that.
One would think environment variables would work, but you can only set on the command line and they are only refreshed on deploy...
To store environment data, you can use the firebase
functions:config:set command.
To get environment data, you can use the functions.config() function.
See https://firebase.google.com/docs/functions/config-env.
So, is there a way to update/set a value in my code? I cannot rely on the command line to update it as it expires, like a cron to update and redeploy.
In Google Apps Script, for example, I'd just use the 'cache' helper service and store the value for a few hours. Any equivalent cache available to cloud functions without resorting to storing on GCS or in a database (it's a single, simple token string...)? Thanks.
Cloud Functions does not offer any form of shared environment variables between functions. You will need to look to an external source such as Cloud Secrets Manager, Cloud Storage or one of the databases. I use both Cloud Storage and Datastore for this feature. I am now looking into Cloud Secrets Manager as my software usually has secrets as well.

Can I perform additional operations after responding from a Firebase Cloud Function? [duplicate]

This question already has answers here:
Continue execution after sending response (Cloud Functions for Firebase)
(3 answers)
Closed 3 years ago.
I'm currently looking to take in a request (using Express/Firebase Cloud Functions)and do some calculations/make some requests, send a response, but then respond to a user before updating my database or doing some extra calculations.
Use case example: Occasionally, a user will follow another user. This means that I want to update all over my database so that my data is in the right place later on. I don't need my user to wait for me to do this, this is something I can do long after the server knows the user wishes to follow them.
Can I receive the user request, perform a server action, respond to the user, then continue on with my cloud function? I have read inn places that a function terminates on responses, but it's not clear how else you go about this or if it only terminates on specific responses.
The way to explain is not possible to achieve, I mean, after you return from a function the process is done.
However, there are several patterns you can implement, it just matters of playing with triggers, take a look.
You can save a state on a firestore collection and trigger a background function which fetches this state and do whatever you need.
If you don't feel like saving this on collection, you have PubSub available as well.
This should give you a good starting point to investigate what is the best solution for your use case.
Hope this helps!
There are two kinds of cloud Functions for Firebase: the ones that you can call directly (HTTPS Callable functions, HTTPS "simple" functions and scheduled functions) and the one that respond to events generated by some of the Firebase services or Google Cloud features like for example Firestore, Authentication events or Cloud Storage (see https://firebase.google.com/docs/functions for a full list)
Classically, when you want to send a response to a user after he/she initiated a Cloud Function, you would choose an HTTPS Callable functions or an HTTPS "simple" functions. But this is not the only way to do it: you can very well send a feedback to the user with a background triggered Cloud Function, mainly by writing something in Firestore (or the Realtime database) to a location the front-end is listening to.
With this second way, you can very well "respond to the user, then continue on with [the] cloud function". While with a callable Cloud Function when you send back the response to the user the Function is terminated.
So let's describe this method in a bit more details for Firestore:
You trigger the background function, for example by writing to a Firestore document/collection from your front-end
At the same time, from the front-end, you set a listener to a specific document (not necessarily the same document than above). See here for setting a listener.
The Cloud Function starts to do some work and at one moment writes to this specific document in Firestore
In the front-end, the user is informed of the write through the listener
In the background the Cloud Function can continue its other tasks.
The key point is that you have to correctly chain all the asynchronous tasks of the Cloud Function by chaining the promises.

using cloud firestore and cloud functions within unity app safely

In my Unity project, I'm using simple web requests (POST requests) to store and retrieve information from the Cloud Firestore, and it is all working fine.
The POST requests are made to some Cloud Functions that do all the job in the database.
The thing is I'm using the database with all permission (read and write) granted to everyone.
I don't know how to safely allow this operations. What I mean by this is if I'm an user of the app (and I'm INSIDE the app), then I should be able to read and write from the database, but outside the app nobody should be allowed to do any modification in the database.
How can I secure my database within these constraints? I read about Firebase auth but I didn't understand.
You'll need to learn about Firestore security rules. It's a long and complex topic, and impossible to say for sure exactly what's required for your case. But you can start reading the documentation about it.

Resources