Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
206 views
in Technique[技术] by (71.8m points)

node.js - How do I get the origin URL of a Firebase Function request?

I am trying to build an application that executes logic ONLY if the origin URL is on allowlist. I am trying to get the origin URL inside of a Firebase Function using the following methods:

I tried using these from this stack overflow post:

req.get('Referrer')
req.get('Referer')
req.headers.referer
req.headers.referrer

All return undefined.

I tried to to put together this function from this stack overflow post:

function getOriginUrl(req: any) {
    return req.protocol + '://' + req.get('host') + req.originalUrl
}

This returns the base url of my cloud functions

https://us-central1-secured-1q4fq.cloudfunctions.net/

What I would actually like to see is the url that the post was made from. I am using this to make the post so I expect to see:

 https://reqbin.com
question from:https://stackoverflow.com/questions/65943377/how-do-i-get-the-origin-url-of-a-firebase-function-request

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

The code is fine. Unlike on browsers where this header is automatically generated depending on the policy they're using, you'll need to set the Referrer header on reqbin (or any API tools like Postman) for example:

Referrer :  https://reqbin.com 

However there are security concerns on using this header as it can be easily manipulated. You should know this.

A better solution to secure your Firebase Functions is to use Firebase Auth. Here's a note:

HTTP requests don’t “come from a domain name”. HTTP requests appear to come from IP addresses whose traffic is routed across global networks. You could try to limit execution to certain source IPs, but those IP addresses aren’t guaranteed to identify the true source of the request.

If you want to protect your functions from execution, it’s better to require some other sort of security that identifies the originator of the request.

The Firebase team provides sample code that shows how to limit requests from only users authenticated with Firebase Authentication. You can also require the client to send a key that authorizes its use of a function.

Additional References:


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...