Is there a way to restrict public access from firebase callable could functions

Question

Firebase callable cloud functions can be accessed via client sdks, which requires a valid auth context for authentication and authorization. But and at the

Answer 1

There is no built-in support for rejecting a request to a Cloud Function before it reaches your code. If you want such functionality consider setting up Cloud Endpoints in front of your Cloud Functions.

The best you can with just Cloud Functions do is check whether the caller is authorized as the first thing in your function code, so that you reduce the amount of time the function is active. You'll still be charged for the invocation in that case, but you'll minimize the GB-seconds and CPU-seconds.

Answer 2

Above given answer by @Frank van Puffelen is perfect but you can utilize a trik to restrict the access by securing that route. Here is the example,

const functions = require('firebase-functions');

exports.scheduleSampleJob = functions.https.onRequest((req , res) => {
     let auth = req.header('Authorization');

     if(auth == 'YOUR_API_AUTHORIZATION_KEY'){
         // valid Authorization key, process the call
     }else{
         //send forbidden if Authorization key not valid
         return res.status(403).send('Access is Forbidden'); 
     }
});

Now, if you want to call the endpoint, It will require a Authorization header in request having value your secret key.

As firebase cloud function can also be used with firebase-auth, you can create custom logic to allow access to users having auth only and restrict the access for public excluding your app's authentic users.

Answer 3

I tried out as @Frank suggested using google cloud run to deploy and ESP container which can by used to invoke private cloud functions. A detailed overview is described in the documentations itself.

https://cloud.google.com/endpoints/docs/openapi/get-started-cloud-functions#deploy_endpoints_proxy