Building Secure Firebase Functions for Shopify Hydrogen

By nuwudorder | September 23, 2025

Introduction

Hydrogen storefronts often need custom APIs for wishlist, reviews, or loyalty redemptions. Firebase HTTPS Functions provide a serverless way to extend Shopify, but without guardrails, they can become leaky, insecure, or quota-busting.

This post shows how to scaffold secure Firebase Functions that integrate cleanly with Hydrogen, Shopify APIs, and Firestore.

Why Firebase Functions?

  • ⚑ Serverless β†’ scale on demand, no infra overhead.
  • πŸ” Security β†’ JWT verification, Firebase Auth rules.
  • 🌍 Speed β†’ low-latency edge regions.
  • πŸ”„ Integration β†’ bridges Shopify Storefront API with Firestore.

Example: Wishlist Function

import * as functions from "firebase-functions"; import * as admin from "firebase-admin"; import * as z from "zod"; admin.initializeApp(); const db = admin.firestore(); const WishlistSchema = z.object({ customerId: z.string(), productId: z.string(), }); export const addToWishlist = functions.https.onRequest(async (req, res) => { try { const data = WishlistSchema.parse(req.body); // Verify JWT from Firebase Auth const token = await admin.auth().verifyIdToken(req.headers.authorization || ""); if (token.uid !== data.customerId) throw new Error("Unauthorized"); await db.collection("wishlists").add(data); res.json({ success: true }); } catch (err) { res.status(400).json({ error: err.message }); } });

Security Guardrails

  • βœ… JWT Verification β†’ block unauthenticated requests.
  • βœ… Zod Validation β†’ validate payloads against schema.
  • βœ… CORS Control β†’ allow only your Hydrogen domain.
  • βœ… IAM Roles β†’ limit Firestore/Storage access.
  • βœ… Secrets Management β†’ keep API keys in GCP Secret Manager.

Patterns for Hydrogen Integration

  • Wishlist: Firebase Functions β†’ Firestore.
  • Reviews: API endpoint with moderation queue.
  • Loyalty: Shopify orders β†’ webhook β†’ Firebase Function β†’ Firestore ledger.
  • Hybrid Auth: Customer Account API + Firebase Auth tokens bridged in functions.

CI/CD Guardrails

  • Run ESLint + type checks before deploy.
  • Test quotas with load tests (avoid 429 errors).
  • Fail deploy if functions exceed size limits.
  • Monitor logs in Firebase Console + alert on errors.

Case Study: Electronics Brand

  • Built wishlist + reviews endpoints in Firebase.
  • Guardrails: JWT auth, schema validation, error logging.
  • Result: 0 auth bypasses, <200ms average response, scalable under holiday load.

Best Practices

  • βœ… Keep Shopify as the source of truth (orders, products).
  • βœ… Use Firebase Functions for auxiliary features.
  • βœ… Always add schema validation (Zod/Yup).
  • βœ… Separate environments (staging/prod).
  • βœ… Automate monitoring + alerts.

Conclusion

Firebase Functions give Hydrogen storefronts the extensibility they need β€” but only when built securely. With JWT, Zod, CORS, and CI guardrails, developers can extend Shopify without creating vulnerabilities.

Speed without security is just fragility.

Posted in Blog

About nuwudorder