问题描述
我正在尝试使用Firebase身份验证的GCP API网关。我可以看到我的请求已从日志中处理完毕,并以响应代码200完成。但是,我没有将响应返回给客户端。我直接调用该函数时得到响应。我想念什么吗?
API配置
swagger: "2.0"
info:
title: API Endpoints
description: API Endpoints
version: 1.0.1
schemes:
- https
produces:
- application/json
securityDeFinitions:
firebase:
authorizationUrl: ""
flow: "implicit"
type: "oauth2"
x-google-issuer: "https://securetoken.google.com/my-project"
x-google-jwks_uri: "https://www.googleapis.com/service_accounts/v1/Metadata/x509/securetoken@system.gserviceaccount.com"
x-google-audiences: "my-project"
paths:
/hello:
get:
summary: Test link
operationId: hello
x-google-backend:
address: https://us-central1-my-project.cloudfunctions.net/hello
security:
- firebase: []
responses:
"200":
description: A successful response
schema:
type: string
"403":
description: Failed to authenticate
* Responds to any HTTP request.
*
* @param {!express:Request} req HTTP request context.
* @param {!express:Response} res HTTP response context.
*/
exports.helloWorld = (req,res) => {
let message = req.query.message || req.body.message || 'Hello World!';
res.status(200).send(message);
};
日志
其他查询
最初,我将函数设为私有,并且得到403。将allUsers与Cloud Functions Invoker添加到我要调用的函数的权限后,它给了我200。所以我有点困惑。我在firebase auth中使用API网关的部分原因是为了防止未经授权的调用。为了使firebase auth工作,我必须添加allUsers,使其公开。我的理解是,仅API网关将是公共的,而它调用的所有后端服务将是私有的。在这种情况下,任何人都可以直接调用该函数,从而使API Gateway失效。如何将后端设置为私有,并仅通过API网关响应经过身份验证的调用?
其他日志
{
insertId: "8c13b49c-2752-4216-8188-d445f4724ef14850908905639612439@a1"
jsonPayload: {
api_key_state: "NOT CHECKED"
api_method: "1.myapi.GenerateRTCToken"
api_name: "1.myapi"
api_version: "1.0.1"
client_ip: "999.999.999.999"
http_method: "GET"
http_response_code: 200
location: "us-central1"
log_message: "1.myapi.GenerateRTCToken is called"
producer_project_id: "myproject"
request_latency_in_ms: 161
request_size_in_bytes: 4020
response_size_in_bytes: 579
service_agent: "ESPv2/2.17.0"
service_config_id: "myapi-config"
timestamp: 1606313914.9804168
url: "/generateRTCToken"
}
logName: "projects/myproject/logs/myapi%2Fendpoints_log"
receiveTimestamp: "2020-11-25T14:18:36.521292489Z"
resource: {
labels: {
location: "us-central1"
method: "1.myapi.GenerateRTCToken"
project_id: "myproject"
service: "myapi"
version: "1.0.1"
}
type: "api"
}
severity: "INFO"
timestamp: "2020-11-25T14:18:34.980416865Z"
}
解决方法
要在不公开的情况下从import turtle
wn = turtle.Screen()
wn.setup(500,500)
tess = turtle.Turtle("triangle")
tess.color("red")
tess.left(90)
def increaseSize():
size = tess.turtlesize()
increase = (2 * num for num in size)
tess.turtlesize(*increase)
wn.onkey(increaseSize,"x")
wn.listen()
调用Google Cloud Function,可以授予Api-Gateway使用的服务帐户角色API-Gateway
在Creating an API config (4)上:您设置了一个服务帐户,请记下该服务帐户。
一旦确定了服务帐户,就可以将其授予服务帐户的CloudFunctions Invoker角色。对于这些,您可以按照以下步骤操作:
- 转到IAM&Admin
- 找到服务帐户,然后单击旁边的铅笔(如果看不到服务帐户,请单击“添加”并键入服务帐户电子邮件)
- 对于角色,选择
Cloud Funtions Invoker - 点击保存
这将授予服务帐户在不公开功能的情况下调用功能的权限。
,看看这个document,其中详细说明了如何使用Firebase在API Gateway中进行身份验证。
通常,要配置这些服务,我们需要记住两个条件:
当您的客户端应用程序发送HTTP请求时,请求中的授权标头必须包含以下JWT声明:
- iss(发行人)
- sub(主题)
- aud(听众)
- iat(发布于)
- exp(到期时间)
要支持Firebase身份验证,请将以下内容添加到您的API配置中的安全性定义中:
securityDefinitions:
firebase:
authorizationUrl: ""
flow: "implicit"
type: "oauth2"
# Replace YOUR-PROJECT-ID with your project ID
x-google-issuer: "https://securetoken.google.com/YOUR-PROJECT-ID"
x-google-jwks_uri: "https://www.googleapis.com/service_accounts/v1/metadata/x509/[email protected]"
x-google-audiences: "YOUR-PROJECT-ID"