The firebase docs state:
A Firebase Authentication user ID token for the logged-in user making the request. The backend automatically verifies this token and makes it available in the handler's
context. If the token is not valid, the request is rejected.
https://firebase.google.com/docs/functions/callable-reference
However, with the following function, I am able to hit the endpoint with an unauthenticated POST.
@https_fn.on_call(memory=512)
def simple_on_call(req: https_fn.CallableRequest):
return {
"echo": req.data["arbitraryPayload"],
"auth": req.auth
}
And then the POST:
curl -X POST -H "Content-Type: application/json" -d '{"data": {"arbitraryPayload": "whatever you want"} }' $MY_FUNC_ENDPOINT
# Response: {"result":{"auth":null,"echo":"whatever you want"}}
Is this expected?
Yes, this is expected. Callable functions don't require authentication, they just accept an ID token and automatically verify it (only if provided), so that you don't have to write that boilerplate code on either the client or function code. From the documentation, emphasis mine:
With callables, Firebase Authentication tokens, FCM tokens, and App Check tokens, when available, are automatically included in requests.
If you want your function to reject unauthenticated requests, you'll have to write code for that in you function to determine what exactly to do. There is an example in the documentation:
# Checking that the user is authenticated.
if req.auth is None:
# Throwing an HttpsError so that the client gets the error details.
raise https_fn.HttpsError(code=https_fn.FunctionsErrorCode.FAILED_PRECONDITION,
message="The function must be called while authenticated.")