閱讀這篇文章,瞭解 App Check 會對使用者造成哪些影響 準備就緒後,您就可以啟用 App Check 強制執行功能。
啟用強制執行功能
如要開始在可呼叫元件中強制執行 App Check 權杖規定 Cloud Functions,請修改函式,檢查有效的 App Check 符記,如下所示開始強制執行後,所有未經驗證的要求 遭到拒絕。
安裝 Cloud Functions SDK。
Node.js (第 1 代)
將專案的
firebase-functions
依附元件更新為 4.0.0 版或 較新:npm install firebase-functions@">=4.0.0"
Node.js (第 2 代)
將專案的
firebase-functions
依附元件更新為 4.0.0 版或 較新:npm install firebase-functions@">=4.0.0"
Python (預先發布版)
將
firebase-functions
新增至functions/requirements.txt
:firebase-functions >= 0.1.0
接著,更新專案虛擬環境中的依附元件:
./venv/bin/pip install -r requirements.txt
為函式啟用 App Check 強制執行執行階段選項:
Node.js (第 1 代)
const functions = require("firebase-functions/v1"); exports.yourV1CallableFunction = functions .runWith({ enforceAppCheck: true, // Reject requests with missing or invalid App Check tokens. }) .https.onCall((data, context) => { // context.app contains data from App Check, including the app ID. // Your function logic follows. ... });
Node.js (第 2 代)
const { onCall } = require("firebase-functions/v2/https"); exports.yourV2CallableFunction = onCall( { enforceAppCheck: true, // Reject requests with missing or invalid App Check tokens. }, (request) => { // request.app contains data from App Check, including the app ID. // Your function logic follows. ... } );
Python (預先發布版)
from firebase_functions import https_fn @https_fn.on_call( enforce_app_check=True # Reject requests with missing or invalid App Check tokens. ) def your_callable_function(req: https_fn.CallableRequest) -> https_fn.Response: # req.app contains data from App Check, including the app ID. # Your function logic follows. ...
重新部署函式:
firebase deploy --only functions
部署這些變更之後,可呼叫的 Cloud Functions 將需要 有效的 App Check 權杖。Cloud Functions 用戶端 SDK 會自動執行 並在叫用可呼叫函式時附加 App Check 權杖。
重播防護措施 (Beta 版)
如要保護可呼叫函式不受重送攻擊,您可使用應用程式 驗證權杖後,請檢查權杖。憑證一經使用即無法使用 可以選取「重新建立」,再次生成新的提示
請注意,使用重送防護功能會將網路來回傳輸至權杖 因此會增加 Cloud 函式呼叫的延遲時間。為此 原因,大多數應用程式通常只會在 機密端點
如要使用權杖,請按照下列指示操作:
在 Cloud 控制台 授予「Firebase App Check 權杖驗證者」授予服務帳戶的角色 由 Cloud 函式使用
- 如果您要明確地初始化 Admin SDK 並指定 專案的 Admin SDK 服務帳戶憑證 。
- 如果您是搭配預設管理員使用第 1 代 Cloud Functions SDK 設定,將角色授予 App Engine 預設服務 帳戶。請參閱變更服務帳戶權限。
- 如果您是搭配預設管理員使用第 2 代 Cloud Functions SDK 設定,將角色授予預設運算服務 帳戶。
將函式定義中的
consumeAppCheckToken
設為true
:Node.js (第 1 代)
const functions = require("firebase-functions/v1"); exports.yourV1CallableFunction = functions .runWith({ enforceAppCheck: true, // Reject requests with missing or invalid App Check tokens. consumeAppCheckToken: true // Consume the token after verification. }) .https.onCall((data, context) => { // context.app contains data from App Check, including the app ID. // Your function logic follows. ... });
Node.js (第 2 代)
const { onCall } = require("firebase-functions/v2/https"); exports.yourV2CallableFunction = onCall( { enforceAppCheck: true, // Reject requests with missing or invalid App Check tokens. consumeAppCheckToken: true // Consume the token after verification. }, (request) => { // request.app contains data from App Check, including the app ID. // Your function logic follows. ... } );
更新應用程式用戶端程式碼,取得消耗性使用限制 符記:
Swift
let options = HTTPSCallableOptions(requireLimitedUseAppCheckTokens: true) let yourCallableFunction = Functions.functions().httpsCallable("yourCallableFunction", options: options) do { let result = try await yourCallableFunction.call() } catch { // ... }
Web
import { getFunctions, httpsCallable } from "firebase/functions"; const yourCallableFunction = httpsCallable( getFunctions(), "yourCallableFunction", { limitedUseAppCheckTokens: true }, ); await yourCallableFunction();
Kotlin+KTX
val yourCallableFunction = Firebase.functions.getHttpsCallable("yourCallableFunction") { limitedUseAppCheckTokens = true } val result = yourCallableFunction.call().await()
Java
HttpsCallableReference yourCallableFunction = FirebaseFunctions.getInstance().getHttpsCallable( "yourCallableFunction", new HttpsCallableOptions.Builder() .setLimitedUseAppCheckTokens(true) .build() ); Task<HttpsCallableResult> result = yourCallableFunction.call();