使用规则保护Firestore数据库的安全.检查身份验证.够了吗 [英] Secure Firestore database using rules. Check authentication. Is it enough?
问题描述
我是Firebase的新手,正在尝试了解数据库规则.我正在使用Firestore.
I'm new to Firebase and trying to understand database rules. I'm using Firestore.
我有一个基本上所有用户都必须读取并写入的数据库.所有用户都可以查看数据库中的文档,并通过某些操作可以更改某些字段.在某些情况下,它们将清除某些旧的过期文件.
I have a database that basically needs to be read by all users, and also write. All users can see the documents in the database, and with certain actions they change certain fields. In certain cases they will detele certain old expired documents.
现在,我知道我不能对所有人开放读写,因为这是不安全的.因此,我正在使用身份验证,我将对用户进行匿名身份验证,以便只有经过身份验证的用户才能访问.
Now, I understand that I cannot leave read and write open to all, since this is not secure. So I am using authentication, I will anonymously authenticate the users, so that only authenticated users have access.
我知道这可以做到:
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if request.auth.uid != null;
}
}
}
现在,我的问题是,这够了吗?我不是黑客,所以我不完全知道黑客将如何或可能对数据库中的内容进行黑客攻击和删除/更改,但这是否意味着只能使用该应用程序对数据库进行更改?如果有人不使用该应用程序,还是可以通过其他非法方式进行身份验证吗?
Now, my question is, is this enough? I'm not a hacker, so I don't exacly know how a hacker would or could hack and detele/change stuff in my database, but does this mean that only changes can be made to the database through using the app? Could someone still hack this if they aren't using the app, and authenticate in some other illegal way.
非常感谢您的帮助,我试图读到这篇文章的内容,但并没有设法解决.
Thanks so much for the help, I've tried to read to get to the bottom of this, but haven't managed.
推荐答案
Firebase安全规则不能限制对单个应用程序的访问.所有API均可供所有公开使用.有互联网连接.它们都记录在这里: https://firebase.google.com/docs/reference /rest/auth
Firebase security rules can't limit access to a single app. All of the APIs are all available for public use for anyone who has an internet connection. They are all documented right here: https://firebase.google.com/docs/reference/rest/auth
Firebase身份验证的目的是确保对单个用户的个人访问进行适当的控制.一旦您让用户使用匿名或电子邮件身份验证创建帐户,他们便可以使用这些规则完全访问数据库中的所有文档.因此,根据该词的大多数定义,您现在所拥有的并不是真正的安全".您必须确定这是否足够安全"以达到您的目的.
The purpose of Firebase Authentication is to make sure that individual users have their individual access controlled appropriately. As soon as you let users create accounts using anonymous or email auth, they will have full access to all documents in the database with these rules. So, what you have right now is not really "secure" by most definitions of that word. You will have to decide if this is "secure" enough for your purposes.
您还可能会收到Firebase的电子邮件,说您的规则不安全.像这样使用/{document=**}并不是一个好主意,它匹配所有文档,而这可能并不是您想要的.至少,您应该调出要用户访问的单个集合,而不要使用此全局通配符.
You are also likely to get an email from Firebase saying that your rules are insecure. It's not a good idea to use /{document=**} like this, which matches all documents, which might not be what you intend. Minimally, you should call out the individual collections that you want users to access instead of using this global wildcard.
这篇关于使用规则保护Firestore数据库的安全.检查身份验证.够了吗的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
