Only allow function to be called by author lambda functions

nonissue · March 17, 2020, 6:11pm

I have a series of functions, and I want to prevent some of them from being invoked by any method other than another netlify function in the same repo. I guess the simplest way to do this would be set a passphrase as an Env variable, and verify that any incoming request has that passphrase, but I figure there’s got to be another way that I’m missing. I have looked at the docs on signed proxy redirects, and I think that might be what I want, but the documentation is sparse so I’m not certain. (https://docs.netlify.com/routing/redirects/rewrites-proxies/#signed-proxy-redirects).

It could be that I’m just approaching this all wrong, and I’m trying to solve a problem that shouldn’t exist, but if anyone has any advice, I’d appreciate it.

Thanks!

nonissue · March 13, 2020, 11:30pm

Oops, i meant “other”, not author haha.

jen · March 17, 2020, 6:10pm

I believe there are several ways to do this, and you’re right that signed proxy redirects would be one way. But I think your env var passphrase would be simpler and still accomplish the same thing

In function A, you could set the passphrase to be a header, i.e. 'x-key': process.env.KEY and in function B, you would check for that header/header value. Or you could check for some hashed version of the value. Even if function A’s endpoint were visible in the browser, the call from function A to function B would not be—so both function B’s endpoint and the key required to “call” it would be relatively protected.

Want to give this approach a shot and let us know how it goes?