Skip to main content

Security Rules

Security Rules is a function-level permission control feature of CloudBase cloud functions, which precisely controls which users can invoke specific cloud functions through simple expressions.

Configuration Portal

In TCB/cloud function, click the "Permission Control" button to go to the configuration page.

Scope

Security Rules only apply to client SDK calls (callFunction) and do not apply to the following scenarios:

  • Management API invocation
  • HTTP Trigger
  • Timer Trigger
  • Database Trigger

Basic Syntax

Cloud function security rules are configured at the environment level, where all functions within the environment share a single configuration file. The configuration uses JSON format:

{
  "Function name or wildcard": {
    "invoke": "expression or boolean value"
  }
}

Configuration Structure Description

Configuration ItemDescriptionExample
Top-level keyFunction name (specific function) or * (wildcard for all functions)"*", "getUserInfo"
Operation keyFixed to invoke, indicating invocation permission"invoke"
Rule valuetrue, false, or "auth != null"See description of supported rule values below
Must-read
  1. The top-level configuration of security rules must include a wildcard configuration with key *.
  2. Each function configuration must include the invoke operation configuration.
  3. Rule value only supports true, false, or "auth != null", and does not support other expressions.
  4. By default, it is recommended to configure it as "auth != null" (only logged-in users can invoke it)

Matching Priority

  1. Prioritize matching specific function name configurations.
  2. If no specific function name is matched, then use the * wildcard configuration

Supported Rule Values

Cloud function security rules only support the following three rule values, and do not support other complex expressions (such as &&, ||, property access, etc.):

Rule ValueDescriptionApplicable Scenarios
trueAllow all users to invoke (including unauthenticated users)Public interfaces (obtain announcements, configurations, etc.)
falseProhibit all users from invokingDeprecated functions, functions only invoked internally
"auth != null"Only authenticated users can invokeBusiness functions requiring user authentication

Unsupported Expression Examples:

  • "auth.uid != null" - Property access is not supported
  • "auth != null && auth.loginType == 'WECHAT'" - Logical operators are not supported
  • "auth.openid != null || auth.uid != null" - Complex conditions are not supported

If more fine-grained permission control is needed, implement business logic validation within the cloud function.

Common Templates

{
  "*": {
    "invoke": "auth != null"
  }
}

All functions default to requiring user login before invocation, suitable for business systems requiring authentication.

Frequently Asked Questions

Can different permissions be set for different users?

Security rules only support three rule values: true, false, and "auth != null". Complex permission control based on user attributes, login methods, roles, etc., is not supported.

If more fine-grained permission control (such as based on roles, user groups, login methods, etc.) is needed, validation can be performed within the cloud function.

How to Troubleshoot Permission Errors?

When encountering a PERMISSION_DENIED error, please follow these steps to troubleshoot:

  1. Check security rule configuration:
  2. Confirm user login status:
    • Use the client SDK to check whether the user is logged in
    • For functions requiring "auth != null", ensure login has been completed before invocation
  3. Check error details:
    • For detailed error information, please see PERMISSION_DENIED error code
    • Check whether there is an issue with the calling method (such as using an HTTP trigger instead of the SDK callFunction)