Security is an important aspect of Cloud Functions. Often a Cloud Function is used to perform important system tasks or returns sensitive data. You must pay special attention to ensure that such functions are only invoked by the project owner at the proper time, with the proper arguments.
Even if a Cloud Function has no way of breaking your app and is not presenting a security risk, it is not recommended to let everyone invoke it at any time. Having many invocations might drain your bandwidth and cause you additional charges.
To handle those scenarios, Cloud Functions support permissions.
In this article:
Cloud Functions's security is role-based. By default, when you create a Cloud Function, the resulting endpoint can be invoked by users in all currently existing roles, including the Anonymous role.
Roles that you add to your application after creating the Cloud Function are not allowed to call it. You need to explicitly set the permissions for the endpoint to accept requests from users in these roles.
You are advised to change the default set of permissions. In case you decide to keep it, ensure that you take into account all possible parameters and act accordingly. Even if you are making the right calls to the endpoint from your app, someone might find out the endpoint URL and execute it with whatever parameters they want.
To set a single endpoint's permissions, click the gear icon next to the Cloud Function name and select Permissions from the drop-down list.
On Business Logic > Logs, you can view and set permissions for all Cloud Function that you have defined.
See Introduction to Business Logic Permissions to find out how to manage permissions programmatically.
If you need to fine-grain the security of your Cloud Function, you can implement your own custom security mechanism based on the security principal making the request.
Within the Cloud Function you can read information about the principal who initiated the function call by examining the
request object. You can then decide what access to grant based on the principal and the function parameters.
You can even implement your custom authentication, completely independent from the Telerik Platform security system. You will still have to rely on the request parameters to transfer authentication data.