Firebase 功能:保护 firebase https 功能 [英] Firebase functions: Securing firebase https functions
问题描述
如何保护使用 Firebase 函数实现的 HTTPS 调用?如果黑客知道该网址,他可以轻松调用它.是否有任何系统,如 api 密钥、应用程序机密来确保安全?需要考虑哪些风险?
How can an HTTPS call implemented with Firebase functions be secured? If a hacker knows the url he can call it easily. Are there any systems like api keys, app secrets to make this secure? What are the risks to consider?
推荐答案
根据您的评论更新.
如果您需要将您的 Cloud Functions 访问权限限制为经过身份验证的用户:
在 GitHub 上的官方 Cloud Function 示例集中有一个示例,展示了如何将 HTTPS 功能限制为仅适用于您应用的 Firebase 用户".这是链接:https://github.com/firebase/functions-samples/tree/master/authorized-https-endpoint
There is a sample in the official set of Cloud Function samples on GitHub which "shows how to restrict an HTTPS Function to only the Firebase users of your app". Here is the link: https://github.com/firebase/functions-samples/tree/master/authorized-https-endpoint
此外,Firebase 最近发布了新的 HTTPS Callable 函数,这些函数类似于其他 HTTP 函数,具有 [一些] 附加功能,... [包括] ... Firebase 身份验证.这是文档的链接:https://firebase.google.com/docs/functions/可调用
In addition, Firebase recently released the new HTTPS Callable functions, which "are similar to other HTTP functions, with [some] additional features, ... [including] ... Firebase Authentication. Here is the link to the documentation: https://firebase.google.com/docs/functions/callable
如果您只想基于 api 密钥或机密(在应用程序中硬编码)"保护"您的 Cloud Functions,因为它们应该在没有任何用户登录的情况下被调用":
由于您可以访问 Cloud Function 中的 HTTPS request 对象,因此您可以将任何秘密值"或api 密钥"添加到标头(或在 POST 的情况下添加到正文)并在函数中读取它.但是,如果您需要撤销机制,则由您来实施.
Since you have access to the HTTPS request object in the Cloud Function you can add to the headers (or to the body in case of a POST) any "secret value" or "api key" and read it in the Function. However, if you need a revoking mechanism, it's up to you to implement it.
最后,我建议您阅读 Firebase 团队的 Doug Stevenson 最近的回答:您如何使 Google Cloud Functions 仅在从某些 URL ping 时才有效?
Finally, I would suggest you read this recent answer from Doug Stevenson from the Firebase team: How do you made Google Cloud Functions only worked when pinged from certain URLS?
这篇关于Firebase 功能:保护 firebase https 功能的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
