Catch up on highlights from Firebase at Google I/O 2023. Learn more

為 Cloud Functions 啟用應用檢查強制執行

當您了解 App Check 將如何影響您的用戶並準備好繼續操作時,您可以啟用 App Check 強制執行。

啟用強制執行

要開始在您的可調用 Cloud Functions 中執行 App Check 令牌要求,請修改您的函數以檢查有效的 App Check 令牌,如下所示。啟用強制執行後,所有未經驗證的請求都將被拒絕。

  1. 安裝雲函數 SDK。

    Node.js(第一代)

    將項目的firebase-functions依賴項更新到版本 4.0.0 或更新版本:

    npm install firebase-functions@">=4.0.0"
    

    Node.js(第二代)

    將項目的firebase-functions依賴項更新到版本 4.0.0 或更新版本:

    npm install firebase-functions@">=4.0.0"
    

    Python(預覽)

    firebase-functions添加到functions/requirements.txt

    firebase-functions >= 0.1.0
    

    然後,更新項目虛擬環境中的依賴項:

    ./venv/bin/pip install -r requirements.txt
    
  2. 為您的函數啟用 App Check 執行運行時選項:

    Node.js(第一代)

    const functions = require("firebase-functions/v1");
    
    exports.yourV1CallableFunction = functions
      .runWith({
          enforceAppCheck: true, // Reject requests with missing or invalid App Check tokens.
      })
      .https.onCall((data, context) => {
            // context.app contains data from App Check, including the app ID.
            // Your function logic follows.
            ...
      });
    

    Node.js(第二代)

    const { onCall } = require("firebase-functions/v2/https");
    
    exports.yourV2CallableFunction = onCall(
      {
        enforceAppCheck: true, // Reject requests with missing or invalid App Check tokens.
      },
      (request) => {
        // request.app contains data from App Check, including the app ID.
        // Your function logic follows.
        ...
      }
    );
    

    Python(預覽)

    from firebase_functions import https_fn
    
    @https_fn.on_call(
        enforce_app_check=True  # Reject requests with missing or invalid App Check tokens.
    )
    def your_callable_function(req: https_fn.CallableRequest) -> https_fn.Response:
        # req.app contains data from App Check, including the app ID.
        # Your function logic follows.
        ...
    
  3. 重新部署您的功能:

    firebase deploy --only functions
    

部署這些更改後,您的可調用 Cloud Functions 將需要有效的 App Check 令牌。當您調用可調用函數時,Cloud Functions 客戶端 SDK 會自動附加一個 App Check 令牌。

重播保護(測試版)

為了保護可調用函數免受重放攻擊,您可以在驗證後使用 App Check 令牌。令牌一旦被消耗,就不能再次使用。

請注意,使用重放保護會增加令牌驗證的網絡往返,因此會增加雲函數調用的延遲。出於這個原因,大多數應用程序通常只在特別敏感的端點上啟用重放保護。

要使用令牌,請在函數定義中將consumeAppCheckToken設置為true

Node.js(第一代)

const functions = require("firebase-functions/v1");

exports.yourV1CallableFunction = functions
  .runWith({
      enforceAppCheck: true, // Reject requests with missing or invalid App Check tokens.
      consumeAppCheckToken: true  // Consume the token after verification.
  })
  .https.onCall((data, context) => {
      // context.app contains data from App Check, including the app ID.
      // Your function logic follows.
      ...
  });

Node.js(第二代)

const { onCall } = require("firebase-functions/v2/https");

exports.yourV2CallableFunction = onCall(
  {
    enforceAppCheck: true, // Reject requests with missing or invalid App Check tokens.
    consumeAppCheckToken: true  // Consume the token after verification.
  },
  (request) => {
    // request.app contains data from App Check, including the app ID.
    // Your function logic follows.
    ...
  }
);

當您為特定 Cloud Functions 啟用此功能時,您還必須更新您的應用程序客戶端代碼以在調用該函數時獲取可消耗的限制使用令牌:

迅速

let options = HTTPSCallableOptions(requireLimitedUseAppCheckTokens: true)
let yourCallableFunction =
    Functions.functions().httpsCallable("yourCallableFunction", options: options)
do {
    let result = try await yourCallableFunction.call()
} catch {
    // ...
}

網絡模塊化 API

import { getFunctions, httpsCallable } from "firebase/functions";

const yourCallableFunction = httpsCallable(
  getFunctions(),
  "yourCallableFunction",
  { limitedUseAppCheckTokens: true },
);
await yourCallableFunction();

Kotlin+KTX

val yourCallableFunction = Firebase.functions.getHttpsCallable("yourCallableFunction") {
    limitedUseAppCheckTokens = true
}
val result = yourCallableFunction.call().await()

Java

HttpsCallableReference yourCallableFunction = FirebaseFunctions.getInstance().getHttpsCallable(
        "yourCallableFunction",
        new HttpsCallableOptions.Builder()
                .setLimitedUseAppCheckTokens(true)
                .build()
);
Task<HttpsCallableResult> result = yourCallableFunction.call();