如何通过身份验证从firebase https函数调用firebase可调用函数？

Question

我试图了解我们如何安全地从 firebase https 函数调用 firebase 可调用函数，这里需要 auth 以便可调用函数不公开，它应该只能由该 https 函数访问。

注意：我是 gcloud 和 firebase 的新手 :(

Https函数：

import * as functions from "firebase-functions";
import * as app from "firebase/app";
//import * as auth from "firebase/auth"
import { getFunctions, httpsCallable } from "firebase/functions";
const firebaseConfig = {
apiKey: "WEBAPIKEY",
authDomain: "project.firebaseapp.com",
databaseURL: "https://project.firebaseio.com", // not required though
projectId: "project-id",
storageBucket: "project.appspot.com", // not required
//appId: process.env.APP_ID,  // not sure what to provide
messagingSenderId: "1234324" // default service account id
};
const firebaseApp = app.initializeApp(firebaseConfig);

export const caller = functions.https.onRequest((request, response) => {
   let messageText = "hi";
   const gfunctions = getFunctions(firebaseApp);
   const funtionB = httpsCallable(gfunctions, 'funtionB');
   funtionB({ text: messageText })
     .then((result: any) => {
      // Read result of the Cloud Function.
      console.log(result);
      response.send(result);
    });
 });

可调用函数：

import * as functions from "firebase-functions";

export const funtionB = functions.https.onCall((data, context) => {
  console.log(context.auth); // not getting anything
  /* if (!context.auth) { //trying to include this.
    return {status: "error", code: 401, message: "Not signed in"};
  } */
  return new Promise((resolve, reject) => {
    resolve({data: "YO", input: data});
  });
});

一些日志，让我心情不好，

Callable request verification passed {"verifications":{"app":"MISSING","auth":"MISSING"}}

我不会去用户浏览器使用这个https功能，不确定我们是否可以在没有浏览器的情况下使用auth check。有什么方法可以保护这个可调用函数吗？我想从主体中删除所有用户对这两个功能的访问权限，使其成为私有。

Answer 1

我会说这是不可能的，因为正如你所提到的，没有浏览器就无法进行身份验证检查，而且httpsCallable 接口不允许通过作为参数传递来强制上下文。

我想说最好的选择是将您的 Callable Function 转换为 Http Function，您可以在其中实现自己的身份验证检查，这个documentation 可能对此有用。