如何在Firebase中设置规则，以便只有我的应用可以在数据库Firestore上写? [英] How can I set Rules in Firebase so that only my app can write on my database firestore?

问题描述

Firebase告诉我，我的数据库不安全，因为我已经遵守规则:

Firebase told me that my Database is not secure because I had as rules:

service cloud.firestore {
 match /databases/{database}/documents {
   match /mypath/{document=**} {
    allow write: if true;
    allow read, delete: if false;
   }
  }
 }

我没有关于读取和删除的问题，因为只有使用FirebaseAdmin的服务器才能执行此类操作.但是我仍然有关于写操作的问题.这就是我切换到此配置的原因:

I do not have problem about read and delete since only my server that use FirebaseAdmin can do such operations. However I still have a problem regarding write operations. This is the reason why I switch to this configuration:

service cloud.firestore {
  match /databases/{database}/documents {
    match /mypath/{document=**} {
      allow write: if request.resource.data.psw == 'mypassword';
      allow read, delete: if false;
    }
  }
}

我的想法是在应用程序的配置文件中写入一个密码，并将其与要保存在Firestore上的数据一起使用.此方法安全还是有更好的方法?

my idea is to write a password in a configuration file of my app and using it together the data that I want to save on Firestore. Is this method secure or there is a better way?

提前感谢您的任何建议.

thanks in advance for any advice.

推荐答案

您正在使用的方案根本不安全，因为您要将秘密"发送到客户端应用程序.您包含在应用程序中的任何信息本质上都是公共信息，因为很容易分解移动或网络应用程序的数据以查看其工作原理.

The scheme you're using isn't secure at all, since you're shipping your "secret" to client apps. Any piece of information you include in your app is essentially public information, since it's easy to break down a mobile or web app data to see exactly how it works.

安全的方法是使用Firebase身份验证来限制谁可以读取或写入某些数据.这是按用户保护数据库的唯一方法.无法基于每个应用安全地限制对数据库的访问.

The secure way is to use Firebase Authentication to limit who can read or write certain data. This is the only way secure a database on a per-user basis. It's not possible to securely limit access to a database on a per-app basis.

请记住，您现在所拥有的功能还允许任何客户端更新，而无需提供密码. request.resource.data.psw将为先前最初正确设置的更新正确设置.这是因为request.resource.data包含先前文档的所有内容，以及更新中添加的所有更改.

Bear in mind also that what you have now also allows any client to update any known document without providing the password. request.resource.data.psw will be set correctly for updates where it was previously initially set correctly. That's because request.resource.data contains all the prior document's content, plus whatever changes were added in the update.

如果您由于某种原因不能使用Firebase身份验证，那么您现在可以做的是最好的，但是应该知道它不是很安全.

If you can't use Firebase Authentication for some reason, what you're doing now is the best you can do, but it really should be known that it's not very secure.

这篇关于如何在Firebase中设置规则，以便只有我的应用可以在数据库Firestore上写?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！