My question is very simple I am new to Firebase cloud functions. Can some user can they see whats written in my function and can they find http url and call them outside my app. Because I will include admin SDK in function so I need credentials to be private. I want to decode uid from token.
The code for your Cloud Functions is only visible to you and collaborators on the project. It is not visible to other users of your app.
Related
I have a Firebase (node.js) cloud function that pulls in some data from my app's Firestore database and builds some static content for the web. I'd like that same cloud function to deploy the static content to Firebase hosting via the Firebase Hosting API, creating a static portion of my site with user generated content.
I understand the general flow thanks to the somewhat clear walkthrough, but am stuck on the first step: getting an access token to call the API. Obviously I'm not going to insecurely put my service account key in the cloud function itself, so the example in the walkthrough doesn't apply. And as I understand it, Firebase cloud functions are already associated with a service account, so presumably there's some way to get an access token to call other Google Cloud services from a cloud function.
So how do I get an access token to call the hosting API from a Cloud Function?
There are some red flags that make me think this isn't possible. For example, all of the uses cases in the walkthrough allude to other server environments, as opposed to Google Cloud environments. And yet, this use case is the third bullet in the use case list in the walkthrough.
I've searched extensively here and elsewhere for some guidance, but aren't finding anything. There are some older questions about accessing hosted files from a cloud function that aren't relevant. This promising question from 5 years ago about this exact use case only has dead ends.
You can use the google-auth-library package in Cloud Functions to a get a token as shown below:
import { GoogleAuth } from "google-auth-library";
const token = await new GoogleAuth({
scopes: ["https://www.googleapis.com/auth/cloud-platform"],
}).getAccessToken();
If you use Firebase Admin SDK in the Cloud Functions, then you can get an access token of the default service account as shown below (do ensure the service account has required permissions):
import { initializeApp } from "firebase-admin/app";
const admin = initializeApp();
const token = await admin.options.credential?.getAccessToken();
// ^ Google OAuth2 access token object used to authenticate with Firebase services.
Sorry I don't have much knowledge in how this stuff works so...
I have a Bitrix24 site running and it has an API, it uses OAuth 2.0 protocol.
I want to create a Google Apps Script web apps (or API executable if it's more appropriate) that will interact with that external API.
From what I understand from the process, I call a page in the Bitrix24 site, which includes a callback URL, and the authentication info is sent to that callback page (https://training.bitrix24.com/rest_help/oauth/authentication.php).
I need to know if I can use Google Apps Script as this callback page. I have been searching but I don't think it's possible to use a web app's function, but maybe I'm looking at it from a wrong angle.
I hope someone can help in how this should be done, or say it's not possible at all.
Thanks in advance!
If it can help, I think there are 2 options :
1 - you can deploy a Web App with a doPost() function that will receive the Callback from Bitrix24. Example :
function doPost(e) { Logger.log(JSON.stringify(e)); }
Deploy your Web App to be accessible to anyone, and with "Execute the app as me" option. Then get this Web App's URL (something like https://script.google.com/..../exec) and pass it as your Callback URL parameter when calling Bitrix24
2 - you can also call Bitrix24 directly from you GAS Web App, using a state token to generate the CallBack URL. More information here :
https://developers.google.com/apps-script/reference/script/state-token-builder
I'm trying to make a custom SAML app to integrate with Google Workspace (i.e. so that if a person in the organization wants to access it, they could do so from the apps list on google.com).
Because Google Cloud Identity Platform only supports service provider-initiated login, this does not seem possible using the default callback URL they provide. I saw this answer to a similar question, and was hoping to implement something like this. However, the SAMLResponse coming in seems to be encrypted, and I don't know enough about the encryption process to know how to decrypt it (or if that's even possible).
I'm using a Cloud Function as my callback URL, and to be clear I'm trying to decrypt the res.body.SAMLResponse string:
exports.samlACSCallback = functions.https.onRequest(async (req, res) => {
console.log(req.body.SAMLResponse)
})
My best guess is that it's somehow related to the certificate that I had to copy from the Google Admin console to the Cloud Identity setup page?
I'm attempting the verification process for an Apps Script web app that uses the URL Fetch service via class URLFetchApp. Per URLFetchApp documentation, this requires the scope https://www.googleapis.com/auth/script.external_request. I can't find any Google documentation for this scope, and it doesn't appear on this list of OAuth2 scopes. I'm having a hard time demonstrating how my app uses the data provided by the scope when I don't actually know what user data the scope provides. I mean, I don't think I'm using any user data... I'm just calling API executable functions from another Google Apps Script project.
What user data is this scope giving me access to? Or do I just need to explain why/how I'm using URLFetchApp?
If you head over the editor dashboard of your script, you will see further information about this scope stating :
Connect to an external service under project OAuth scopes.
Moreover, when you run your script for the first time, the permissions it is asking for are:
Create a network connection to any external service (e.g., to read or write data)
Therefore, despite not having much more description in the documentation (just in UrlFetchApp), I don't think you are using any user data apart from getting the user to use your script and connect to an external service.
I hope this has helped you. Let me know if you need anything else or if you did not understood something. :)
According the documentation if you wish to use UrlFetchApp Service then external_request is the scope you'll have to add to you manifest. Like it or not.
UrlFetch Service
Here's what I'm trying to do:
Remotely execute a Google Apps Script function from an online automation service (Zoho Flow, similar in purpose to Zapier.)*
This function that I am remotely executing is to add gmail labels to everyone in an organization.
In order to do this, I've done the following:
Created a service account with domain-wide-delegation in the same GCP project associated with the function that adds gmail labels.
Used the OAuth2 library for Google Apps Script to perpetuate JWT authorization for that service account in my script.
Verified that function works with service account functionality for all users in a Google oragnization within google apps script
Deployed this script as an API Executable to enable remote execution
Created authtokens authorized with the mail scope for the Apps Script API (https://mail.google.com/), as well as an additional scope required by the OAuth2 library in my script. This is done in the google developer playground, using OAuth2.0 Client ID credentials that are authorized as a part of that same GCP project.
Successfully executed the function remotely using the Google Apps Script API with Postman
Now, in order to actually make this functionality official, I now have to replace postman and the google developer console with the actual client, which is this Zoho Flow platform for api connections and process automation.
In order to make the switch I've done the following;
Added the authorized redirect URl for the client (Zoho Flow) under the same credentials that are used for the Google Developer Playground:
Utilized the credentials found from the JSON representation of those credentials** for creating what's called a "connection" in this software, which is basically an easy-to-use OAuth2.0 connection with a nice front-end that can be used for accessing API data (this is the part where I create this connection):
Entered the same scope for this connection that were authorized in the google developer playground, as well as that additional scope (https://www.googleapis.com/auth/script.external_request) that the OAuth2.0 library for Google Apps Script uses:
Lo and behold, I get the error below when attempting to gain access to Google API data from a web application, and the scopes that are said to cause the error is every scope except for the mail scope: https://mail.google.com/. I've done additional testing to verify that every other scope that is a part of the google apps script API also create this error, not just this external scope for the OAuth2 library.
Support said it was likely an issue with my credential permissions; is my line of logic for this correct? If it is, then it is an issue with their software that I will have them pursue further.
Some additional testing has been done on the software (Zoho Flow) to confirm whether or not it is a software error or not: I'm not certain if the process defined in my answer is best practices, or even 100% correct (other users can speak to it,) but I've confirmed that the error I am seeing is likely an error with the client.
Here's why:
When authorizing for multiple scopes, I get the error seen at the end of my question:
When changing that connection to utilize only one of my scopes instead, like so:
The connection proceeds properly, and I can remotely execute functions that utilize only that one scope successfully. This does work for any one scope that I authorize. The only problem is, it's a rare occurrence that a script only requires one scope. While this I can get around this major bug, I cannot remotely execute my function that adds gmail labels to all users in an organization because it requires two scopes. This will be mentioned to the development team and it should be fixed soon.