Firestore cloud functions http request

0
votes

I have a rest api and this is the end point:

app.post('/Follow/:myUserId/:userId', async (req, res))

authorization is activated by this example: https://github.com/firebase/functions-samples/blob/master/authorized-https-endpoint/functions/index.js

everything works as expected, but I have the doubt that if someone who is already authenticated with firebase and gets user ids can call that endpoint and "fake followers".

Suppose that the Id: 12121 (myUserId) is authenticated and starts calling that endpoint and passes it the id 4444 (myUserId) and 5555 (userId)

the user can be accessed through req.user in the rest call, it would be enough to put this in my endpoint:

app.post('/Follow/:myUserId/:userId', async (req, res) => {
    if (req.user.Id !== myUserId) {
       res.status(403).send('Unauthorized');
       return null;
    }
});

This would fix, or is it better to do database triggers?

1
google-cloud-platformgoogle-cloud-firestoregoogle-cloud-functions
Hi, there are a number of ways to authenticate the user to access the cloud function endpoint. I got a relevant post here, where they discussed possible ways to authenticate the end points. Hope this helps!Nibrass H
yes, I have already done that to protect an endpoint. My question is for another reasonAngelru

1 Answers

0
votes

Cloud function triggers firestore events only after a change has been made to the document. In your case it might be an additional overhead to update the document and revert back when the user is unauthorized to do the action.

Your snippet is better in terms of not having the overhead, but the problem is anyone can fake the req.user.Id to match the myUserId, thus not prescribed to so.

The solution can be is what is mentioned in the document you have posted, to authorize the user with the token. So

  1. You get the user.id from the authorized firebase token (passed in the request header)

  2. Now you can match the id with myUserId to determine whether the user is authorized to perform the action.

    const decodedIdToken = await admin.auth().verifyIdToken(idToken); req.user = decodedIdToken;

An alternative approach to do at database level is to have rules (instead of triggers) as explained here.