问题
I am creating a game in Unity where the user can contribute with levels using a Level Creator system.
My application is setup in a way that I just need to call the Cloud Function with the level info, and it handles duplicate entries and saves it to Firestore. All of this works perfectly.
My question, basically, is: can I have my functions only accept calls from my game? (without having my users registered?).
Naturally, I am using functions.https.onCall((data, context) => {}). In the documentation for Firebase, I noticed they use context.auth to check whether the user is authenticated or not. However, I am logging this value to the console and it appears to be undefined.
I am also confused with this line, from the same link:
With callables, Firebase Authentication and FCM tokens, when available, are automatically included in requests.
Maybe context.auth is not defined because my game isn't yet in Google Play / Apple Store? Any ideas?
回答1:
It's not possible to restrict invocations of a callable function to just one app, and it doesn't matter if the app is published to any stores. Once you deploy a function, it's accessible to anyone with an internet connection.
The best you can do is require your users to be authenticated with Firebase Authentication in your app, then check context.auth in the function to determine if the it should do what the user wants. context.auth will be undefined in the case of no authentication. If your code determines that the function should not go any further, you can return early. But the function is still invoked.
来源:https://stackoverflow.com/questions/60191410/is-it-possible-to-only-accept-function-calls-from-my-app-in-firebase