Firebase Cloud Functions on Client (vue.js) to access Back-End API data hosted on GAE PHP

[Alex Gillis]

Th is is a repost from

https://stackoverflow.com/questions/58201107/firebase-cloud-functions-on-client-vue-js-to-access-back-end-api-data-hosted-o

I had not answer and I wonder if either i asked on the wrong place or my question is not formulated  correctly, hence i riposting it here.

I have a web app hosted in Firebase in vue.js. The app access to the organization's main database via API to a back-end server developed in PHP (laravel) hosted in GAE. I'd like to know if using Firebase Cloud Function on the client (js) to make calls to a back end API (PHP) would help me to protect data and be more efficient authenticating calls from the client to back end.

Currently: Users login into the client using Firebase Auth and the client sends the resulting token to my back-end server on each API call. Then the back-end verifies the token received via HTTPS using FB Auth API and then if verified, the backend would return the request data via JSON back to the client-side via HTTPS response.

My 2 biggest concerns are:

1) would this approach scale well with more users. 2) for large extractions of data, i.e. 1000+ rows. I'd like to avoid to have JSON objects being "downloaded" on the client.

New Scenario: The users would still log in on the client (vue.js) using FB Auth, but the Client would use FB Cloud Functions to make the calls to the Back-End API data hosted on GAE and then return the data as an array.

The advantages I hope to utilize are: - The client will not have https traffic with data as this would be handled by FBCF and send to the client via socket (?). - Save verification auth calls from the server, IF there is a way for FBCF to make calls to GAE without the need to pass the token (maybe using endpoints?)

Does this make sense or am I introducing a middle man unnecessarily?

Thank you, Alex

[George (Cloud Platform Support)]

You have proceeded correctly by posting on stackoverflow. This discussion group is oriented more towards general opinions, trends, and issues of general nature touching App Engine and Cloud SQL. For coding and programming architecture, as well as comparative advantages of Firebase Auth, you'll likel be better served in dedicated forums such as stackoverflow, where experienced programmers are within reach and ready to help. 

[Charounson Saintilus]

There is a lot you can do w/ cloud functions; the limit is really up to your imagination--https://cloud.google.com/functions. In short, this makes sense, but you are introducing a middle man unnecessarily. You might find that the query through the CF is slower and doesn't necessarily make the data any more protected. 

As I understand it from your explanation, the only way a CF can call your backend without the authorization token is if you update the PHP application. Otherwise, no matter who is making the HTTP request, the server will be mostly blind to this and will still require the exchange of a token for each request. Your CF would still be returning JSON data and you should note that a CF is a backend service not a client side service. 

There are other ways to ensure the scalability of your PHP backend, but putting a CF between your client and the service that actually does the work to query the data may not be the best approach. You could consider replacing or converting your PHP backend to a CF and handle all the database queries from there. You would then have a simple client-to-CF-to-DB architecture. 

Char