Right now i have a function in Google cloud that is receiving/processing the requests, but since its open anyone with the URL to the function could potentially write data to the database. While the function URL is private and only used by Notehub i’d like to at least secure it a little bit.
My first thought is changing the route to be a generic https route and adding CORS headers myself so that in Google Functions i can make sure the request is actually coming from Notehub before running the function.
Is there a better/simpler way i’m missing?
Appreciate any insight.
One relatively simple way is to use am HTTP Authorization header. Although I’m not a Google Cloud Functions user, I believe this is the relevant documentation: Como autenticar para invocação | Documentação do Cloud Functions | Google Cloud
This requires generating a bearer token and adding it as a Header. Unfortunately, this isn’t supported by our current Google Cloud route. As you suggest, you’d have to do it using a Web Request route.
I’ll be adding a feature request to support bearer tokens for Google Cloud routes.
It doesn’t seem to me that CORS is the right approach here, but please enlighten me if you think that’s a better option.
Thank you for the feedback.
PS: For some reason, on my screen, Discuss is shows the title of that link in Portuguese.
However, it does link to documentation in English.
Ah that makes sense and i think is a good approach.
Yeah seems like a no brainer to have some form of auth supported out of the box, without it it makes using routes in a production environment difficult.
The other option i was looking at was making API calls to grab the events, but the routing just works so easily/cleanly I prefer it.
FYI… We now support the GCF Auth header in our Google Cloud Function route.
Try it out and let us know if it works for you.