电子邮件:[Firebase]对您的Cloud Firestore数据库的客户端访问权限将在X天内到期 [英] Email: [Firebase] Client access to your Cloud Firestore database expiring in X day(s)
问题描述
我收到一封电子邮件,表明我正在测试模式"下进行开发,但是这使我的数据库完全向Internet开放.我最初接受的默认规则如下所示:
I got an email that indicates I was developing in "test mode", but that it left my database completely open to the internet. The default rules I initially accepted look like this:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
// This rule allows anyone on the internet to view, edit, and delete
// all data in your Firestore database. It is useful for getting
// started, but it is configured to expire after 30 days because it
// leaves your app open to attackers. At that time, all client
// requests to your Firestore database will be denied.
//
// Make sure to write security rules for your app before that time, or else
// your app will lose access to your Firestore database
match /{document=**} {
allow read, write: if request.time < timestamp.date(2019, 12, 14);
}
}
}
需要做什么才能满足此电子邮件的要求?
What needs to be done to satisfy the request of this email?
推荐答案
此处显示的安全规则与以前的默认规则有所不同,之前的默认规则更为宽松.使用此规则的想法:
The security rules shown here are a departure from the previous default rules that were much more permissive. The idea with this rule:
match /{document=**} {
allow read, write: if request.time < timestamp.date(2019, 12, 14);
}
在给定日期之前,您可以不受限制地访问Firestore数据库,以便免费试用一个月.但是,从长远来看,允许不受限制的访问显然是一个巨大的安全漏洞.
Is that you get unrestricted access to your Firestore database up until the given date, in order to freely experiment with it for a month. However, allowing unrestricted access is obviously a massive security hole in the long run.
建议采取的措施是首先完全删除此规则,因为它允许任何人读写数据库中的任何内容.然后,设计一些适当的规则,仅允许访问最终用户应该可以访问的集合和文档.对此的完整讨论与Stack Overflow无关(因为我们不知道您的应用程序要求),但是这里是一些开始学习安全规则的好地方:
The recommended course of action is to first remove this rule entirely as it allows anyone to read and write anything in your database. Then, devise some proper rules that allow only access to collections and documents that your eventual users should be able to access. A full discussion of that is off-topic for Stack Overflow (as we don't know your app's requirements), but here are some good places to start learning about security rules:
- The documentation
- This video series
您应该做的是调出数据库中每个集合和子集合的访问约束.理想情况下,除非绝对需要,否则您应锁定对所有集合的未经身份验证的写访问权限.最好的情况是,您正在使用Firebase身份验证来帮助控制对文档的访问
What you should be doing is calling out the access constraints for each collection and subcollection in your database. Ideally, you should lock down unauthenticated write access to all collections, except where absolutely required. In the best case, you're using Firebase Authentication to help control access to documents only as required for authenticated users.
或者,如果您已经完成数据库的使用(暂时),则可以完全使用以下规则来阻止从Web和移动客户端完全访问数据库:
Alternatively, if you're done working with the database (for the time being), you can block access to the database from web and mobile client entirely by using the following rule exclusively:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
allow read, write: if false;
}
}
使用此规则,仍将允许使用Firebase Admin SDK或其他Cloud SDK从后端代码进行访问.
With this rule, access from backend code using the Firebase Admin SDK or other Cloud SDKs will still be allowed.
这篇关于电子邮件:[Firebase]对您的Cloud Firestore数据库的客户端访问权限将在X天内到期的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
