I've just upgraded to using Firebase Cloud Functions v1.x. According to this answer
Callable functions are exactly the same as HTTP functions
With that in mind, I've tried to convert my pre-1.x mock-code:
export const myHttpAction = functions.https.onRequest((req, res) => {
  try {
    const result = await myHttpActionWorker(req.body);
    return res.send({ status: 'OK' });
  } catch (err) {
    console.error(err);
    return res.status(500).send({ status: 'Server error' });
  }
});
to the following:
export const myHttpAction = functions.https.onCall(async (data, context) => {
  console.log(context.auth);
  try {
    const result = await myHttpActionWorker(data);
    return { status: 'OK' };
  } catch (err) {
    console.error(err);
    return { status: 'Server error' };
  }
});
But upon submission to my endpoint, /myHttpAction, with the same data that I used in pre-1.x, I get the following back:
{
  "error": {
    "status": "INVALID_ARGUMENT",
    "message": "Bad Request"
  }
}
I'm not sure why the request is "bad" since it's exactly the same and Callable functions are "exactly the same". Any idea what gives?
My package.json specifies "firebase-functions": "^1.0.1".
onRequest creates a standard API endpoint, and you'll use whatever methods your client-side code normally uses to make. HTTP requests to interact with them. onCall creates a callable. Once you get used to them, onCall is less effort to write, but you don't have all the flexibility you might be used to.
Cloud Functions deployment can fail if the entry point to your code, that is, the exported function name, is not specified correctly. Your source code must contain an entry point function that has been correctly specified in your deployment, either via Cloud console or Cloud SDK.
Cloud Functions for Firebase is a serverless framework that lets you automatically run backend code in response to events triggered by Firebase features and HTTPS requests. Your JavaScript or TypeScript code is stored in Google's cloud and runs in a managed environment.
You're misunderstanding what was meant by "exactly the same" (and omitting the entire remainder of the answer!). They're the same in terms of security (as the original question was asking), because a callable function is an HTTP function, with extra stuff going on behind the scenes that managed by the callable client SDK. The answer lists out those differences. Those differences don't have any effect on security. But you can't simply swap in a callable for an HTTP function and expect everything to be the same for existing callers.
If you want to invoke a callable function without using the client SDK, you'll have to follow its protocol specification. The documentation on that is forthcoming, but you can get the basics here:
How to call Firebase Callable Functions with HTTP?
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With