I have a Flutter mobile app (no web). I want the getData function to be accessed by my app only. When I did not have any app check the function was accessible through any web browser because it was public.
After I enable appcheck and add the following code. The app cloud function is still accessible like before publically.
How do I fix this?
import * as functions from "firebase-functions";
import * as admin from "firebase-admin";
admin.initializeApp();
exports.getData = functions
.runWith({
enforceAppCheck: true,
})
.https.onRequest(async (request, response) => {
At the time of writing, Firebase App Check can be used with:
App Check currently works with the following Firebase products:
- Realtime Database
- Cloud Firestore
- Cloud Storage
- Cloud Functions (callable functions)
- Authentication (beta; requires upgrade to Firebase Authentication with Identity Platform)
In your code, you define a HTTPS Request Cloud Function, which is not a Callable Cloud Function.
To use App Check, you will need to redefine your function as a Callable Cloud Function:
exports.getData = functions
.runWith({
enforceAppCheck: true,
})
.https.onCall(async (data, context) => {
return { /* ... response data ... */ };
});
Then on your client, you would call it using:
try {
final result =
await FirebaseFunctions.instance.httpsCallable('addMessage').call();
// do something with result
} on FirebaseFunctionsException catch (error) {
print(error.code);
print(error.details);
print(error.message);
}