Search code examples
firebasesmswebhooksvonage

Nexmo: Receiving SMSes

As one new to Nexmo, I found an easy way to receive SMSes using Firebase here.

After initialising Firebase with: 

firebase init functions

you write into the generated index.js:

const functions = require('firebase-functions');
const admin = require('firebase-admin'); 

admin.initializeApp();

exports.inboundSMS = functions.https.onRequest(async (req, res) => {
  await admin.database().ref('/msgq').push(req.body);
  res.send(200);
});

Then you deploy the code to Firebase with:

firebase deploy --only functions

which yields a callback URL (webhook) similar to:

https://us-central1-nexmo-project.cloudfunctions.net/inboundSMS

By adding the above URL in the API settings of the Nexmo Dashboard, the messages will be grabbed by Firebase DB.

Now I have two questions.
The first is a licencing problem: the author claims that the Firebase "Pay-as-you-go plan is required to use a third-party API". What does this mean? Isn't the webhook consumer always a third party? I don't find any useful hint on Firebase site.

The second question regards securing the callback URL. It seems that everyone can send data through the URL, so how can I avoid spamming and peruse of the URL?

Solution

  • Glad you found my post useful.

    To answer your questions -

    1. If you are using Nexmo to send an SMS, or any other service that would require you to call a 3rd party API, you would need to use the pay-as-you-go from Firebase. If you only want to use it as a webhook that would be called from an external source into Firebase, the free tier should be usable. The difference is in the calling external APIs. Google provides a better explanation of this type of call - https://firebase.google.com/docs/functions/use-cases#integrate_with_third-party_services_and_apis. Google network calls shouldn't be included in this - one of the benefits of using Firebase.

    2. Securing the webhook has a couple of options. The first is, it's not an easily discoverable URL, so keeping it private should be the initial line of defense. Nexmo also has a list of IP's that can be whitelisted here - https://help.nexmo.com/hc/en-us/articles/204015053. In the headers you should be able to locate the IP and verify it before allowing it to do anything else, or just kick it out completely.

    Let me know if that helps!