How To Do API Security - Login Endpoint

Hi, My backend server has a login endpoint which i am supposed to call after authenticating the user. The only auth method is SMS OTP, So I am thinking to use firebase to handle the authentication part, then call the login endpoint with just the phone number as inout. this logs them in, the issue is login endpoint is accessible on the website openly and anybody can bypass the firebase authentication and login as anyone.
how do i fix this issue?

I don’t know if our functions will be a good match for this workflow, since they only have 10 seconds until timeout. I’d suggest that you should call the auth method DURING function execution, but…SMS won’t go fast enough (and allow a response by a reasonable human) to work there, so I guess you need to pass in a token or something from that auth, that is more “unguessable” than the phone number - maybe you’re passing in the code that the person inputs into your web page and verifying that instead of the phone number (which you can send too, but is guessable)?

Not sure how you’ll implement things, but TL;DR you should verify the auth while you use it is my suggestion