When creating Callable Firebase Cloud Functions do I need to worry about CSRF attacks?

Question

When creating Callable Firebase Cloud Functions (using onCall) do I need to worry about CSRF attacks?

And if so, how do I protect myself against those attacks?

This is what my callable functions check for so far (App Check, authentication, and agrument):

export const myCallableFunction = functions.https.onCall(
  async (myData, context) => {

    // Check it passes App Check
    if (context.app == undefined) {
      throw new functions.https.HttpsError(
        'failed-precondition',
        'The function must be called from an App Check verified app.'
      );
    }

    // Check the authentication
    if (!context.auth) {
      throw new functions.https.HttpsError(
        'unauthenticated',
        'The function must be called while authenticated.'
      );
    }

    // Check the 'myData' argument
    if (!(typeof myData === 'string') || myData.length === 0) {
      throw new functions.https.HttpsError(
        'invalid-argument',
        'The myData argument is missing.'
      );
    }

    // Do the operation here
  }
);

Do I need to check for something else to protect against CSRF attacks?

There's a [post](https://stackoverflow.com/a/42752550/16531380) that you can check, which provided answer that might clear things up on your end. Also check this another [post](https://stackoverflow.com/a/48507846/16531380). — RJC, May 30 '22 at 06:13

When creating Callable Firebase Cloud Functions do I need to worry about CSRF attacks?

0 Answers0