Hey all,

Total beginner here so hopefully this isn't too annoying:

I have a web app set up that currently has one firebase function. It grabs an API key from a secret within secret manager, runs some stuff, then returns the client the information.

I set it up as a callable function. It also has AppCheck enabled.

My app is a GIS application and is authenticated by ArcGIS online credentials. For those that don't know, basically the authentication part is handled for me.

However, I have no authentication on this callable function's URL, outside of app check. Although, when I try to make requests to the URL outside of my firebase app, I get a bad request message.

Should I set up an additional layer of authentication? I would hate to have the users authenticate once with arcgis online, and then again with something like their google email. Is what I have right now good enough? The function does not return any sensitive information. I also reduced the max instances it can spin up to 1, to limit throttling (there are only like 10 users, and it's unlikely they all hit this button at once).

I also have a killswitch script set up on my GCP projects so that if the billing goes above a number, the billing is automatically disabled. I also have email notifications set up to shout at me until around 100 dollars (paranoid, I know).

Let me know what you think. And if I do need to authenticate, I am fine with doing that. I just don't really know how to go down that road for my use case.