限制Firebase中已认证用户的并发登录 [英] Limit concurrent logins by an authenciated user in Firebase

问题描述

我一直在寻找和使用Firebase，发现它真的很有趣.

I have been looking and playing with Firebase and I found it really interesting.

到目前为止，我已经尝试了一些简单的身份验证和安全策略设置，但现在遇到了一个问题，该问题似乎并未涵盖在文档中，并且在Google或此处都找不到任何内容.

So far I have tried some simple authentication and security policy setting but now I have a problem which does not seem to be covered in the documentation and I couldn't find anything on Google or here.

问题是我找不到一种方法来限制每个电子邮件/密码的并发登录数.

The problem is that I cannot find a way to limit the number of concurrent logins per email/password.

我希望有一个选择，付费客户一次只能从1个IP登录.换句话说，我不希望人们能够购买一个帐户然后与朋友和家人共享一个帐户，然后所有人都使用相同的凭据同时连接到系统.

I would like to have an option where paid customers can only login from 1 IP at a time. In other words I don't want people to be able to purchase an account and then share the same with friends and family and then all connect to the system at the same time using the same credentials.

谢谢.

推荐答案

您将通过在用户登录时写入Firebase中的路径来控制访问.然后，您可以检查该路径以确保一次仅存在一个用户:

You will control access by writing to a path in Firebase whenever a user logs in. Then you can check that path to ensure only one user exists at a time:

• 每次用户登录时(例如logged_in_users/$user_id)
• 将值写入路径
• 在用户断开连接时，使用 onDisconnect()删除该值
• 检查该路径以获取其他登录尝试的值
• 如果该值存在，则显示错误；如果不存在，则允许登录

• write a value to a path each time a user logs in (e.g. logged_in_users/$user_id)
• use onDisconnect() to delete that value when user disconnects
• check that path for a value on an additional login attempt
• show an error if the value exists or allow login if not

这负责UX部分.为了保护其不受攻击，您将利用Firebase全面的安全规则:

This takes care of the UX portion. To secure it against exploits, you will take advantage of Firebase's comprehensive security rules:

• 使用自定义登录策略生成您自己的身份验证令牌
• 在令牌内将IP地址作为数据的一部分
• 如果将logged_in_users/$ user_id设置为其他IP地址，则拒绝登录尝试
• 编写安全规则以防止从其他IP进行读/写

• generate your own authentication tokens using the custom login strategy
• include the IP address as part of the data inside the token
• reject login attempts if the logged_in_users/$user_id is set to a different IP address
• write security rules to prevent read/write from other IPs

假设您生成的令牌包含IP地址，那么您的安全规则可能类似于以下内容:

Assuming you've generated tokens containing an IP address, your security rules could look something like the following:

".read": "root.child('logged_in_users/'+auth.uid).val() === auth.ip_address"

这篇关于限制Firebase中已认证用户的并发登录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！