Firebase communication with Google Apps Script

1
votes

I know that we can use a Firebase backend function to send an HTTP request to Google Apps Script and receive it using "doGet()".

However, is it possible to call a Google Apps Script function from Firebase without sending an HTTP request (since it's part of the same Google account)?

My concern is with security, where one may be able to guess/sniff the right URL/parameters and then execute the Google Apps Script function (which makes a purchase). Alternatively, there may be a proper way to secure GAS web apps.

1
firebasegoogle-apps-script

1 Answers

2
votes

There are quite some details missing. But I think you're asking of a Google Cloud Functions/Cloud Functions for Firebase can call into an Apps Script web app or a Apps Script REST API. The answer is that they indeed can invoke those URLs (if they're publicly accessible and fall within your quota).

But that is no more security risk than that any browser can invoke these URLs. The security should not come from knowing or being able to call the URLs. If you want to secure an API, you should implement proper security on it. For more on see Authorization for Google Services in Apps SCript