Firebase功能:保护Firebase https功能 [英] Firebase functions: Securing firebase https functions

问题描述

如何确保使用Firebase功能实现的HTTPS调用的安全性?如果黑客知道该网址，则可以轻松地对其进行调用.是否有像api密钥，应用程序密码之类的系统来确保此安全性?有什么风险要考虑?

How can an HTTPS call implemented with Firebase functions be secured? If a hacker knows the url he can call it easily. Are there any systems like api keys, app secrets to make this secure? What are the risks to consider?

推荐答案

已根据您的评论进行了更新.

如果您需要限制对经过身份验证的用户访问Cloud Functions:

GitHub上的官方Cloud Function示例集中有一个示例，显示了如何将HTTPS Function限制为仅应用程序的Firebase用户".这是链接: https://github.com/firebase /functions-samples/tree/master/authorized-https-endpoint

There is a sample in the official set of Cloud Function samples on GitHub which "shows how to restrict an HTTPS Function to only the Firebase users of your app". Here is the link: https://github.com/firebase/functions-samples/tree/master/authorized-https-endpoint

此外，Firebase最近发布了新的 HTTPS Callable 函数，这些函数与其他HTTP函数相似，具有[某些]其他功能，... [包括] ... Firebase身份验证.以下是文档的链接: https://firebase.google.com/docs/functions/可调用的

In addition, Firebase recently released the new HTTPS Callable functions, which "are similar to other HTTP functions, with [some] additional features, ... [including] ... Firebase Authentication. Here is the link to the documentation: https://firebase.google.com/docs/functions/callable

如果您只想基于api密钥或机密(在应用程序中进行硬编码)"保护"您的Cloud Functions，因为应该在没有任何用户登录的情况下调用它们":

由于您可以访问Cloud Function中的HTTPS request对象，因此可以将任何秘密值"或"api密钥"添加到标头(或在POST的情况下添加到正文)，并在功能.但是，如果您需要撤消机制，则由您决定是否实施.

Since you have access to the HTTPS request object in the Cloud Function you can add to the headers (or to the body in case of a POST) any "secret value" or "api key" and read it in the Function. However, if you need a revoking mechanism, it's up to you to implement it.

最后，我建议您阅读Firebase团队的道格·史蒂文森(Doug Stevenson)的最新答案:

Finally, I would suggest you read this recent answer from Doug Stevenson from the Firebase team: How do you made Google Cloud Functions only worked when pinged from certain URLS?

这篇关于Firebase功能:保护Firebase https功能的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！