Why you should be using Firebase Http Callable Functions

Firebase Cloud Functions is the glue that ties most of the other products on the Firebase platform together. This is due to the different Cloud function triggers that exist.

• Cloud Firestore Triggers
• Realtime Database Triggers
• Firebase Authentication Triggers
• Google Analytics for Firebase Triggers
• Crashlytics Triggers
• Cloud Storage Triggers
• Cloud Pub/Sub Triggers

But there is one type of Cloud Function that extends things beyond Firebase products. These are HTTP Cloud Functions.

Http Cloud Functions for Firebase

By default when we talk of Http Cloud Functions for Firebase, we mean Cloud Functions that can be called via Http Requests. Which means they can be called from anywhere.
Below is a simple Http Cloud Function endpoint called simpleHttpEndpoint

A simple Http Cloud Function. It returns a simple json response when it receives a request.

Note: If you use Cloud Functions for Firebase, please use the TypeScript option, it makes your life easier.

But usually in Http Cloud Functions are used as endpoints for our our applications either on Android, IOS or Web. Having an open endpoint that anyone can call is a major issue.

How to Protect Http Cloud Functions for Firebase

You can require Authorization for the endpoints to be used. This only works due to the Firebase Admin SDK. An Authorization token is sent with the request and the Firebase Admin SDK is used to verify the token. You can find an excellent code sample below

firebase/functions-samples

Another way to protect your endpoints is to use Http Callable Functions.

Http Callable Functions

Http Callable Functions are Variants of Http Cloud Functions for Firebase that can be called directly from your applications using the Cloud Functions for Firebase Client SDKs for your app platform.

A Simple Callable Cloud Function

Every call from the Client SDKs automatically comes with a Firebase Authentication and FCM tokens when it is available, i.e when login is handled by Firebase Authentication on the Client.

The best part is that the callable endpoint automatically validates the auth token without you doing the heavy lifting like in the section before. You can then get the authorized Firebase User and continue.

Summary

If your Https Cloud Functions for Firebase are going to be called by only your applications use Http Callable Functions in Cloud Functions. They automatically add the Authorization layer and reduces your work in both the Cloud Functions and in your applications.

I have decided to do an article that goes deeper into Http Callable Cloud Functions for Firebase.