I am using firebase cloud functions and at the first time I saw cors then set origin to true.. but in that way anyone can access to my functions, so I looked a way to allow only specific domains to access my cloud functions, I got the code from cors github page and tried it, but I get unexpectedly closed the connection after waiting and waiting.
here is my function index.js --
const functions = require('firebase-functions');
const cors = require('cors');
var whitelist = ['', '']
var corsOptionsDelegate = function (req, callback) {
var corsOptions;
if (whitelist.indexOf(req.header('Origin')) !== -1) {
corsOptions = { origin: true } // reflect (enable) the requested origin in the CORS response
}else{
corsOptions = { origin: false } // disable CORS for this request
}
callback(null, corsOptions) // callback expects two parameters: error and options
}
exports.api = functions.https.onRequest((req, res) => {
cors(req, res, () => {
var d = new Date();
var n = d.getHours();
if (n > 8 && n < 17) {
res.status(200).send("Get started")
} else {
res.status(200).send("Closed")
}
})
});
I am using firebase cloud functions and at the first time I saw cors then set origin to true.. but in that way anyone can access to my functions, so I looked a way to allow only specific domains to access my cloud functions, I got the code from cors github page and tried it, but I get unexpectedly closed the connection after waiting and waiting.
here is my function index.js --
const functions = require('firebase-functions');
const cors = require('cors');
var whitelist = ['http://example1.', 'http://example2.']
var corsOptionsDelegate = function (req, callback) {
var corsOptions;
if (whitelist.indexOf(req.header('Origin')) !== -1) {
corsOptions = { origin: true } // reflect (enable) the requested origin in the CORS response
}else{
corsOptions = { origin: false } // disable CORS for this request
}
callback(null, corsOptions) // callback expects two parameters: error and options
}
exports.api = functions.https.onRequest((req, res) => {
cors(req, res, () => {
var d = new Date();
var n = d.getHours();
if (n > 8 && n < 17) {
res.status(200).send("Get started")
} else {
res.status(200).send("Closed")
}
})
});
- 1 You're defining a function called corsOptionsDelegate, but you're not doing anything with it. Seems to me that function has to be passed somewhere. – Doug Stevenson Commented Jun 23, 2017 at 2:22
- okay but im newbie to this I don't know how to do it, or maybe if there is a way to allow only authenticated users to acess – user7716943 Commented Jun 23, 2017 at 2:50
- You can use Authentication headers to only allow authenticated users to access the function, see answer here: stackoverflow./a/43239529/8209335 – mikat Commented Jun 25, 2017 at 15:09
- 1 Possible duplicate of Secure HTTP trigger for Cloud Functions for Firebase – David Commented Jun 25, 2017 at 15:33
1 Answer
Reset to default 5With an HTTP triggered function on Firebase Cloud Functions the cors middleware origin parameter will be undefined, as will be the request header Origin value:
var whitelist = ['https://example1.']
var corsOptions = {
origin: function (origin, callback) {
console.log(origin) // undefined
if (whitelist.indexOf(origin) !== -1) {
callback(null, true)
} else {
callback(new Error('Not allowed by CORS'))
}
}
}
app.get('/products/:id', cors(corsOptions), function (req, res, next) {
console.log(req.header('Origin')) // undefined
res.json({msg: 'This is CORS-enabled for a whitelisted domain.'})
})
unless you set the Origin header yourself when you make the request to the function. For example:
await http.get(
'https://example1./yourfunction',
headers: {
"Origin": "https://example2.",
},
);
The problem is that anyone can write the above request (the Origin header can be faked), so as this post suggests a more fool-proof way to verify access is by sending something like the token that Firebase Auth generates when you sign in (or you can provide the sending party with a secret key they would need to send):
await http.get(
'https://example1./yourfunction',
headers: {
"Authorization": "Bearer your_api_token_here",
},
);
You would then verify that it's legit in the Cloud Function (instead of checking the potentially fake origin).
发布者:admin,转转请注明出处:http://www.yc00.com/questions/1745085100a4610360.html
评论列表(0条)