瞭解 App Check 對使用者的影響後,如果您已準備好繼續操作,可以啟用 App Check 強制執行機制。
啟用強制執行功能
如要在可呼叫的 Cloud Functions 中開始強制執行 App Check 權杖規定,請修改函式,以便檢查有效的 App Check 權杖,如下所示。啟用強制執行功能後,所有未經驗證的要求都會遭到拒絕。
安裝 Cloud Functions SDK。
Node.js (第 1 代)
將專案的
firebase-functions
依附元件更新至 4.0.0 以上版本:npm install firebase-functions@">=4.0.0"
Node.js (第 2 代)
將專案的
firebase-functions
依附元件更新至 4.0.0 以上版本:npm install firebase-functions@">=4.0.0"
Python (預先發布版)
將
firebase-functions
新增至functions/requirements.txt
:firebase-functions >= 0.1.0
接著,請更新專案虛擬環境中的依附元件:
./venv/bin/pip install -r requirements.txt
為函式啟用 App Check 執行階段強制執行選項:
Node.js (第 1 代)
const functions = require("firebase-functions/v1"); exports.yourV1CallableFunction = functions .runWith({ enforceAppCheck: true, // Reject requests with missing or invalid App Check tokens. }) .https.onCall((data, context) => { // context.app contains data from App Check, including the app ID. // Your function logic follows. ... });
Node.js (第 2 代)
const { onCall } = require("firebase-functions/v2/https"); exports.yourV2CallableFunction = onCall( { enforceAppCheck: true, // Reject requests with missing or invalid App Check tokens. }, (request) => { // request.app contains data from App Check, including the app ID. // Your function logic follows. ... } );
Python (預先發布版)
from firebase_functions import https_fn @https_fn.on_call( enforce_app_check=True # Reject requests with missing or invalid App Check tokens. ) def your_callable_function(req: https_fn.CallableRequest) -> https_fn.Response: # req.app contains data from App Check, including the app ID. # Your function logic follows. ...
重新部署函式:
firebase deploy --only functions
這些變更部署完成後,可呼叫的 Cloud Functions 就會需要有效的 App Check 權杖。當您呼叫可呼叫的函式時,Cloud Functions 用戶端 SDK 會自動附加 App Check 權杖。
重播防護 (Beta 版)
為避免可呼叫的函式遭到重播攻擊,您可以在驗證後使用 App Check 權杖。權杖使用完畢後,就無法再次使用。
請注意,使用重播保護功能會在權杖驗證中增加網路往返傳送時間,因此會增加 Cloud 函式呼叫的延遲時間。因此,大多數應用程式通常只會在特別敏感的端點啟用重播保護功能。
如要使用符記:
在 Cloud 控制台中,將「Firebase App Check Token Verifier」角色授予 Cloud 函式使用的服務帳戶。
- 如果您明確初始化 Admin SDK,並指定專案的 Admin SDK 服務帳戶憑證,系統就會授予必要的角色。
- 如果您使用第 1 代 Cloud Functions 搭配預設的 Admin SDK 設定,請將角色授予 App Engine 預設服務帳戶。請參閱「變更服務帳戶權限」。
- 如果您使用第 2 代 Cloud Functions 搭配預設的 Admin SDK 設定,請將角色授予預設運算服務帳戶。
在函式定義中將
consumeAppCheckToken
設為true
:Node.js (第 1 代)
const functions = require("firebase-functions/v1"); exports.yourV1CallableFunction = functions .runWith({ enforceAppCheck: true, // Reject requests with missing or invalid App Check tokens. consumeAppCheckToken: true // Consume the token after verification. }) .https.onCall((data, context) => { // context.app contains data from App Check, including the app ID. // Your function logic follows. ... });
Node.js (第 2 代)
const { onCall } = require("firebase-functions/v2/https"); exports.yourV2CallableFunction = onCall( { enforceAppCheck: true, // Reject requests with missing or invalid App Check tokens. consumeAppCheckToken: true // Consume the token after verification. }, (request) => { // request.app contains data from App Check, including the app ID. // Your function logic follows. ... } );
更新應用程式用戶端程式碼,以便在呼叫函式時取得可消耗的限用權杖:
Swift
let options = HTTPSCallableOptions(requireLimitedUseAppCheckTokens: true) let yourCallableFunction = Functions.functions().httpsCallable("yourCallableFunction", options: options) do { let result = try await yourCallableFunction.call() } catch { // ... }
Web
import { getFunctions, httpsCallable } from "firebase/functions"; const yourCallableFunction = httpsCallable( getFunctions(), "yourCallableFunction", { limitedUseAppCheckTokens: true }, ); await yourCallableFunction();
Kotlin+KTX
val yourCallableFunction = Firebase.functions.getHttpsCallable("yourCallableFunction") { limitedUseAppCheckTokens = true } val result = yourCallableFunction.call().await()
Java
HttpsCallableReference yourCallableFunction = FirebaseFunctions.getInstance().getHttpsCallable( "yourCallableFunction", new HttpsCallableOptions.Builder() .setLimitedUseAppCheckTokens(true) .build() ); Task<HttpsCallableResult> result = yourCallableFunction.call();