Firebase HTTPS callable functions being called by unauthenticated end users

Question

I have doubts on the calling of firebase functions (gcp functions).

According to here: https://firebase.google.com/docs/functions/callable, when HTTPS callable functions are being called, the functions.https.onCall trigger automatically deserializes the request body and validates auth tokens. Then in this case, if an unauthenticated end user called this function, is this function being triggered or not? In other words, will I be charged on this calling?

Answer 1

Its true that it does validate the auth tokens for you, but what your function does with those auth tokens is up the the function. By validating them, the framework ensures that invalid auth tokens won't look like an authenticated user.

Notably, the documentation states:

With callables, Firebase Authentication and FCM tokens, when available, are automatically included in requests.

The key to your question is when available.

If validating that the request was authenticated is important to you, then you need to check the variables that firebase provides in the context parameter. (See the API definition of the CallableContext object that is passed in. You are able to pull things off such as the uid (as auth.uid on the second parameter to the function), etc.

In short, the function certainly is executed, and if it does anything or not for an unauthenticated user depends on how it is written.

You can safely expect that the invocation itself is still is accounted for in your free tier quota or as a billable invocation -- there isn't anything at all that says that callable functions have to be authenticated, and there are many possible uses for non-authenticated callable functions (e.g. you want to protect a certain part of the database to only be accessed by server-side code, even if unauthenticated users run it).