I am following the documentation here to add a cors configuration to my function. My functions main.py is shown below.
When making an HTTP request (via postman) to my function, it works. I figure with the cors policy shown, it would not be allowed through. My goal is to limit access to this function to a Cloud APIGateway only so that only requests made via my API may use the function.
Currently as it is, the URI from the function could be accessed from anywhere and I would need to add additional logic to verify it came from the API gateway. The functions URI is not human guessable and it is not exposed. So no one would see it, but I would like this extra bit of security.
Am I misunderstanding how this should work?
# Welcome to Cloud Functions for Firebase for Python!
# To get started, simply uncomment the below code or create your own.
# Deploy with `firebase deploy`
from firebase_functions import https_fn, options
from firebase_admin import initialize_app
initialize_app()
@https_fn.on_request(
cors=options.CorsOptions(
cors_origins=[r"firebase\.com$", r"https://flutter\.com"],
cors_methods=["get", "post"],
)
)
def on_request_example(req: https_fn.Request) -> https_fn.Response:
return https_fn.Response("Hello world!")
Additionally, I see an example google provides here where they have a cors policy allowing a POST and GET request. Then in the body they check if it is PUT? Shouldn't cors handle that?