Skip to content

[Security] Cloud Function sendInviteEmail should enforce App Check #55

Open
Open
[Security] Cloud Function sendInviteEmail should enforce App Check#55
Labels
enhancementNew feature or requestsecurity
@CrowdTypical

Description

@CrowdTypical
CrowdTypical
opened on Mar 28, 2026

Severity: LOW

Description

The sendInviteEmail Cloud Function in functions/index.js uses invoker: "public", making the endpoint publicly accessible. The request.auth check inside compensates, but adding App Check verification to the Cloud Function would provide defense-in-depth against unauthorized callers.

Recommendation

  • Add App Check enforcement to sendInviteEmail: 
    exports.sendInviteEmail = onCall(
  { secrets: [smtpEmail, smtpPassword], invoker: "public", enforceAppCheck: true },
  async (request) => { ... }
);
  • Requires App Check to be enabled on the client side first (see related issue)

Files

  • functions/index.js

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestsecurity

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions