Firebase httpsCallable vs "allow unauthenticated" cloud functions

2
votes

I have some HTTP functions that I call via httpsCallable. I noticed that in the GCloud UI they are listed with authentication: Allow unauthenticated.

When you call an HTTP function via httpsCallable the user auth token is automatically included and decoded for the receiving end.

I figured that allowing unauthenticated function calls must be a bad thing, so I removed the IAM policy from the allUsers group like described here, however in doing so my app stopped working, giving me the errors like:

[Error] Preflight response is not successful

[Error] Fetch API cannot load https://europe-west2-my-project-dev.cloudfunctions.net/someFunction due to access control checks.

Is it true that I need to allow for all users to call my functions, even though they are being called with httpsCallable by users that are already authenticated with Firebase auth?

I find this confusing so hopefully, someone can clear this up.

1
firebasefirebase-authenticationgoogle-cloud-functions

1 Answers

3
votes

Google Cloud Platform's IAM access control has no knowledge of Firebase Authentication users.

Since Callable Cloud Functions integrate with Firebase Authentication's users, you must allow all users access on the GCP infrastructure level to use them. Then in your Cloud Functions code, you check whether the Firebase Authentication user is authorized to perform the operation.

I agree it'd be cool if you could lock down to groups of Firebase Authentication users in the GCP IAM layer too, but that is currently not the case.