skip to Main Content

I’m building an Android App that searches for nearby locations. I use Firebase login system (Login with email and password, and login with Google, Facebook, etc), therefore I would also like to build an API with Firebase. (also because I need the app to be more complicated) I have built a serverless API with Firebase Cloud Functions and I can make GET/PUT requests with Postman. However, I would like to secure these endpoints, similar to how JWT secure a RESTAPI, so that only users who logged in the App can make requests. How do I achieve this? I have looked at “authorized-https-endpoint” but it seems like it only allow Google-Sign-In.

Or is there a way that I can still use Node and Mongodb RestAPI, and secure it using the accounts logged into Firebase?

Here is a piece of the backend code

app.get('/api/read/:item_id', (req, res) => {
(async () => {
    try {
        const document = db.collection('items').doc(req.params.item_id);
        let item = await document.get();
        let response = item.data();
        return res.status(200).send(response);
    } catch (error) {
        console.log(error);
        return res.status(500).send(error);
    }
    })();
});


exports.app = functions.https.onRequest(app);

Thank you guys so much in advance.

2

Answers


  1. Use Firebase Callable Functions. They fulfill your requirement.

    Refer: https://firebase.google.com/docs/functions/callable

    In the case where there are issues with the function calls, please refer to this: firebase.google.com/docs/functions/callable-reference.
    As mentioned here this is to be used only if the SDKs don’t work for you

    Login or Signup to reply.
  2. The authorized-https-endpoint example supports all forms of auth on the client, as long as it’s going through the Firebase Auth SDK. In all cases, the client can send an auth token to the function, and the function code can use the Firebase Admin SDK to verify the token. It doesn’t matter how the user authenticated – any Firebase user account will work.

    You can also use a callable function, which will automatically perform the validation for you in the exact same way. Your code must then check to see if a user was authenticated using the calling context before continuing.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search