How to prevent unauthenticated RESTful request in Firebase

If you’re using a Firebase functions “onCall” methods, you’re just able to use “req.auth” directly, when you have to return a response to user’s REST call.

But, if you’re using Firebase functions “onRequest” method, you need some additional work to make sure if the caller is a real user has been authenticated with Firebase Authentication.

Front side.

You have to include an id token when the user requests your API. It generated by calling “getIdToken” method. If you have to refresh forcibly, you can use additional parameter like this “getIdToken(true)”

Cloud Functions side (backend)

Now on the backend side, you can validate the user with the id token included in headers. Furthermore, you can decode the token and retrieve the full user’s information

You might don’t want to allow everyone to access your endpoint. So for That, you should use this way.