Skip to content
Advertisement

Is it normal that I am able to invoke firebase cloud functions from any kind of frontend app?

I am using axios to call the firebase cloud functions I have created with express/firebase. I realized even without using and without importing the firebase and without initializeApp(firebaseConfig) in my frontend, I was able to call my cloud functions with the axios with the following way:

axios.get('https://us-central1...')

How I create cloud functions:

index.js

module.exports ={
    ...require('./controllers/foo')
}

foo.js

const functions = require('firebase-functions');
const express = require('express');
const cors = require('cors');

const admin = require('firebase-admin');
admin.initializeApp();
const db = admin.firestore();

const app = express();

//Middleware
app.use(express.json());
app.use(cors({ origin: true}));

app.get('/', async (req, res) => {
    // Function goes in here
});

app.post('/', async (req, res) => {
    // Function goes in here
});

app.put('/:id', async (req, res) => {
    // Function goes in here
});

app.delete('/:id', async (req, res) => {
    // Function goes in here
});

exports.foo = functions.https.onRequest(app);

Is this a normal behavior or is it due to way of working of express (cors as middleware) or axios somehow? Or do I just have to add auth and firestore rules into my database? Whatever the reason is then what is the meaning of the firebaseConfig information that firebase provides for us?

PS: Just to play around I have tried to add firestore rules. I have added the following rule:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if false;
    }
  }
}

Even though in rules playground I was not able to retrieve anything, from my application I still got the query I wanted and I don’t know why.

Advertisement

Answer

Yes that is absolutely normal. The HTTP Functions are made so you can integrate you Firebase Project with any (absolutely any) other language or platform by using HTTP requests as the trigger name shows. As you already do, you can even implement express apps behind those requests.

With those you gave full power and responsebility what goes trough them and with that comes also the need for you to know who is calling your HTTP requests. if you want to secure them you can use the link from the comment and check how to make Authorized HTTP Ednpoinds.

If you want to call those just from your App Frontend I would recommend to use Callable Firebse Functions because those will work only from your app and also provide the data of the user who called them in the context of your cloud function triggered.

User contributions licensed under: CC BY-SA
3 People found this is helpful
Advertisement