Why do I get auth'ed when I test hitting my Firebase Cloud Function in a browser?

1
votes

I have a Firebase Cloud Function that handles HTTP requests, using:

export const foo = functions.https.onRequest((req, res) => {
  // etc.
}

When I hit the URL for it in a browser, I see a Google sign in page, listing my Google accounts. If I sign in, I then get a 403:

Error: Forbidden
Your client does not have permission to get URL /foo from this server.

Why? There's nothing about this in the docs that I can find. I'm on the free plan ("Spark"), if that makes any difference.

[edit]

I'm accessing the function using the URL:

https://us-central1-[project name].cloudfunctions.net/[function name]

There's no vanity URL.

1
firebasegoogle-cloud-functions
The plan you're on should not make a difference. How are you accessing the function? Is through the default ttps://us-central1-[project-name].cloudfunctions.net/app URL? Or through a vanity URL mapping on Firebase Hosting? - Frank van Puffelen
How exactly are you getting the URL for this function? - Doug Stevenson
Oh, I see what's happened. I changed my function name and didn't change the URL, then the auth gave me a false sense that I was indeed hitting my function when in fact I get the same auth from hitting us-central1-[project name].cloudfunctions.net/functionThatDoesntExist. Why is that auth there? It's quite confusing. - Eliot
Hi @Eliot did you manage to solve the issue? I'm getting the same problem, though I see my custom logs and standard one Function execution took 127 ms, finished with status code: 302 despite I explicitly do res.redirect(200). Thanks. - Ivan
@Ivan Yes, answer accepted below. If you're seeing logs from your function, I guess you're hitting your function ;-). Not sure a redirect with status code 200 makes sense. I'd post another question tbh. - Eliot

1 Answers

1
votes

The 403 message is originating from the main url https://us-central1-[project-name].cloudfunctions.net/ which is fully managed by Google.

It seems cloud functions does not have an error handling for non-existing functions name. Thus everything that is not created are treated the same way as a forbidden link. I don't know if this is an intended behavior but since the functions are running on a managed environment, there's not much handling of not existing functions against your project cloud function url.

The following statement from the link above explains it all:

"Cloud Functions run in a fully-managed, serverless environment where Google handles infrastructure, operating systems, and runtime environments completely on your behalf. Each Cloud Function runs in its own isolated secure execution context, scales automatically, and has a lifecycle independent from other functions. "

Hope this helps.