I have a Xero App that handles REST API calls to my Xero Company data, and also posts data as a webhook when certain records are changed. I perform the Hmac hashing authentication for the webhook using a google cloud function written in python, which once authenticated, sends the data to a Powerautomate flow (Receive HTTP request is the trigger).
Now this process works perfectly, and I get instant updates on changes to Xero records which is great, however before going live I want to be certain each step is as secure as it can be, given the sensitivity of the data.
When looking at the google functions security tab, I see that currently the function is set to 'Allow Unauthenticated Invocations'. This makes me quite nervous, but I also don't fully understand the implications of this. In the wrong hands could my sensitive invoice data be redirected/stolen?
I am hesitant to set the security status to 'Require Authentication' as I am unsure if this will prevent Xero sending the hook data to the function, and if this is the case, I do not know how to then set up permission in such a way that allows the webhook to invoke the function while prohibiting any other invocations.
Any help would be greatly appreciated!
Google Function Security Settings
I haven't tried enabling the security but I have set up a new IAM service account which I think is needed as part of a switch to a more secure approach to the function.
