用于PHP的Firebase Admin SDK是隐藏Firebase凭据的有效方法吗? [英] Is the Firebase Admin SDK for PHP an effective way to hide Firebase credentials?
问题描述
到目前为止,我了解到Firebase的安全规则无论我们使用什么平台,在确保数据安全方面都起着重要的作用.但是我发现,如果开发人员以易于在客户端脚本上看到Firebase凭证的方式来构造Web + JavaScript组合和其他实现,则它们可能完全处于风险之中.
So far I've learned that Firebase's Security Rules play an important role in keeping our data secure regardless of the platform we're using. But I found that the Web + JavaScript combo and other implementations might be purely exposed to risk if developers structure them in such a way that firebase credentials can easily be seen on the client scripts.
非常感谢,Firebase支持 REST API 可以以某种方式减轻风险的语言.为此,我查看了用于Web数据的Kreait Firebase Admin SDK 我正在创建的管理门户.
Thankfully, Firebase has support for REST API's in a variety of languages which can mitigate the risk, somehow. For this purpose, I took a look at Kreait's Firebase Admin SDK for PHP for a Web data administration portal that I am creating.
这是适用于PHP的Firebase Admin SDK的简单演示.
Here is a simple demo for the Firebase Admin SDK for PHP.
我在此库中发现的以下几点是:
- Firebase凭据写在后端脚本上,它们隐藏在前端客户端上
- 查询和数据库操作及实现对客户端隐藏
- 具有对Firebase实时数据库,身份验证和用户管理的后端支持
我的问题是:
- 我的firebase凭证真的安全吗,使用这种方法而不是仅仅将其放入普通的javascript文件中,就不会向全世界广播吗?
- 是否还有其他方法可以使Firebase凭据和数据更安全(除了加密数据,通过REST实现和结构正确的安全规则将它们隐藏在后端脚本中)?
预先感谢您的评论和建议.
Thank you in advance for your comments and suggestions.
推荐答案
在前端应用程序中公开API密钥或项目ID之类的信息没有安全风险(请参阅
There's no security risk in exposing information like the API Key or Project ID in your front-facing application (see https://firebase.google.com/docs/web/setup, it's the recommended procedure) - your web application can only do what the currently authenticated user is allowed to do.
当然,存在安全规则定义不正确的风险,但是后端应用程序也存在这种情况-一个愚蠢的例子:当您在服务器上创建无密码帐户时,任何人都可以使用该密码登录帐户^^.
There's, of course, the risk that the security rules are not well defined, but that's the case with a backend application as well - a stupid example: when you create a passwordless account on a server, anyone can log in with that account ^^.
关于Admin SDK:它们的主要目的是执行管理和/或后端任务.如果将业务逻辑从客户端(= Browser)转移到后端,则将失去许多Web库提供的现成功能.您将不得不重新实现功能,将数据从前端传递到后端,再传递回后端……我认为这不值得麻烦.
Concerning the Admin SDKs: their primary purpose is to perform administrative and/or backend tasks. If you shift your business logic from the client (= Browser) to the backend, you will lose a lot of the functionality that the web libraries provide out of the box. You will have to re-implement functionality, pass data from the frontend to the backend and back... I don't think this would be worth the hassle.
因此,我的建议是:不要担心在浏览器中查看JS代码时可见的配置代码片段,并最好使用自动化测试套件对您的安全规则进行广泛的测试,并且您应该一切都很好.
So, my recommendation is: don't worry about the config snippet that is visible when looking at the JS code in the browser and test your security rules extensively, preferably with an automated test suite, and you should be just fine.
这篇关于用于PHP的Firebase Admin SDK是隐藏Firebase凭据的有效方法吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
