要開始在可調用的 Cloud Functions 中強制執行 App Check 令牌要求,請修改您的函數以檢查有效的 App Check 令牌。
在你開始之前
在您的Apple 、 Android和Web客戶端中啟用 App Check。
向函數添加 App Check 支持
將項目的 firebase
firebase-functions
依賴項更新到 3.14.0 或更高版本:npm install firebase-functions@">=3.14.0"
並將項目的 firebase
firebase-admin
依賴項更新到 9.8.0 或更高版本:npm install firebase-admin@">=9.8.0"
在您的函數中添加對
context.app
的檢查。如果未定義context.app
,您的函數應該會失敗。exports.yourCallableFunction = functions.https.onCall((data, context) => { // context.app will be undefined if the request doesn't include an // App Check token. (If the request includes an invalid App Check // token, the request will be rejected with HTTP error 401.) if (context.app == undefined) { throw new functions.https.HttpsError( 'failed-precondition', 'The function must be called from an App Check verified app.') } // Your function logic follows. });
(可選)如果您想使用自己的邏輯處理無效的 App Check 令牌(例如,如果您想在啟用完全強制之前暫時記錄而不是拒絕無效請求),請將
allowInvalidAppCheckToken
設置為true
:exports.yourCallableFunction = functions. .runWith({ allowInvalidAppCheckToken: true // Opt-out: Requests with invalid App // Check tokens continue to your code. }) .https.onCall((data, context) => { // Now, requests with an invalid App Check token are not rejected. // // context.app will be undefined if the request: // 1) Does not include an App Check token // 2) Includes an invalid App Check token if (context.app == undefined) { // You can inspect the raw request header to check whether an App // Check token was provided in the request. If you're not ready to // fully enable App Check yet, you could log these conditions instead // of throwing errors. const rawToken = context.rawRequest.header['X-Firebase-AppCheck']; if (rawToken == undefined) { throw new functions.https.HttpsError( 'failed-precondition', 'The function must be called from an App Check verified app.' ); } else { throw new functions.https.HttpsError( 'unauthenticated', 'Provided App Check token failed to validate.' ); } } // Your function logic follows. });
要啟用完整的應用檢查保護,請將
allowInvalidAppCheckToken
設置為false
。重新部署您的功能:
firebase deploy --only functions
部署這些更改後,您的可調用 Cloud Functions 將需要有效的 App Check 令牌。當您調用可調用函數時,Cloud Functions 客戶端 SDK 會自動附加應用檢查令牌。