node.js - How do I get the origin URL of a Firebase Function request?

Question

I am trying to build an application that executes logic ONLY if the origin URL is on allowlist. I am trying to get the origin URL inside of a Firebase Function using the following methods:

I tried using these from this stack overflow post:

req.get('Referrer')
req.get('Referer')
req.headers.referer
req.headers.referrer

All return undefined.

I tried to to put together this function from this stack overflow post:

function getOriginUrl(req: any) {
    return req.protocol + '://' + req.get('host') + req.originalUrl
}

This returns the base url of my cloud functions

https://us-central1-secured-1q4fq.cloudfunctions.net/

What I would actually like to see is the url that the post was made from. I am using this to make the post so I expect to see:

 https://reqbin.com

question from:https://stackoverflow.com/questions/65943377/how-do-i-get-the-origin-url-of-a-firebase-function-request

Answer 1

The code is fine. Unlike on browsers where this header is automatically generated depending on the policy they're using, you'll need to set the Referrer header on reqbin (or any API tools like Postman) for example:

Referrer :  https://reqbin.com 

However there are security concerns on using this header as it can be easily manipulated. You should know this.

A better solution to secure your Firebase Functions is to use Firebase Auth. Here's a note:

HTTP requests don’t “come from a domain name”. HTTP requests appear to come from IP addresses whose traffic is routed across global networks. You could try to limit execution to certain source IPs, but those IP addresses aren’t guaranteed to identify the true source of the request.

If you want to protect your functions from execution, it’s better to require some other sort of security that identifies the originator of the request.

The Firebase team provides sample code that shows how to limit requests from only users authenticated with Firebase Authentication. You can also require the client to send a key that authorizes its use of a function.

Additional References:

• https://www.quora.com/What-are-the-solutions-to-make-my-Firebase-cloud-functions-private-so-that-only-requests-sent-from-a-specific-domain-name-will-be-processed-1/answer/Doug-Stevenson-1
• https://stackoverflow.com/a/45034407/7031308