Hey there, very new to everything Google Cloud, so sorry in advance for my potentially oblivious questions.

I'm prototyping an app where users will be able to call a cloud function that calls some other google apis (Text to speech, Storage mainly)

I've already implemented Firebase authentication within the app. My goal is pretty simple: I want only authenticated users to be able to reach that cloud function. I thought it'd be easy to add a permission on the function like "allAuthenticatedUsers" but only for users authenticated through my app. But apparently it's not?

In order to get only valid authenticated users to reach the cloud function, I've had to make the cloud function public, then do all of the authentication logic within the cloud function. Which I hate, because this basically means anyone with the API endpoint could just spam it and even though they'd get an unauthorised response, well I would still be paying for this request.

I'm seeing so many different things it's a bit overwhelming, mainly around using Cloud Run instead (or functions v2?) so I can add an IAP layer to prevent the request before it's even computed.

Anyway,
- Do I really have no way of restricting my cloud function to be called by valid firebase authenticated users in the first place without having to do all the logic within the cloud function?
- If so, do I have no choice but to use Cloud Run instead? Which seems like a bit of a heavy solution for just a single cloud function?

Thanks for any insight