限制Firebase数据库和存储对特定组的写访问权限 [英] Restrict firebase database and storage write access to a specific group
问题描述
我有一个带有内容管理端的react redux firebase应用程序(所有这些页面均以/admin/...开头).我需要将Firebase数据库和Firebase存储的写访问权限限制为这些用户的一小部分,并且需要在未经身份验证(或未经管理员身份验证)的用户尝试访问时进行重定向.目前,任何发现auth按钮位于/admin的人都可以使用facebook或google登录,然后可以访问所有内容.
I have a react redux firebase app with a content management side (all those pages start with /admin/...). I need to restrict firebase database and firebase storage write access to a small subset of those users, as well as handle a redirect when an unauthenticated (or authenticated without admin role) user tries to go there. Currently, anyone who figures out that the auth buttons are at /admin can log in with facebook or google, then have access to everything.
从我阅读的内容来看,似乎是通过自定义令牌,但是我不清楚他们将提供的摘要放在何处以安全地执行此操作.我尝试通过Web控制台在Firebase数据库中手动添加admin: true,然后按如下所示设置我的Firebase数据库规则:
From what I've read, it looks like one does this via custom tokens, but I'm unclear on where to put the snippets they provide to do this securely. I tried manually adding admin: true inside the firebase database via the web console, then set up my firebase database rules like so:
{
"rules": {
".read": "true",
".write": "auth != null && root.child('users').child(auth.uid).child('admin').val() == true"
}
}
这似乎在保护对数据库的写访问方面起作用,但是我无法使用相同的admin字段/令牌存储Firebase,所以我必须这样做:
This seems to work in terms of protecting write access to the database, but I was unable to use the same admin field/token for firebase storage, so I had to do this:
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read, write: if request.auth!=null && request.auth.uid=="{my uid}";
//request.auth.token.admin==true did not seem to work
}
}
}
我也无法在客户端上显示该admin: true,所以我现在没有重定向的方法.
I also couldn't get that admin: true to show up on the client, so I don't have a way of of redirecting right now.
有人可以帮我清理一下吗?
Can someone please clear this up for me?
推荐答案
Firebase通过对ID令牌的自定义用户声明支持对任何用户的基于角色的访问:
Firebase supports role based access on any user via custom user claims on the ID token: https://firebase.google.com/docs/auth/admin/custom-claims
您将定义管理员访问规则:
You would define the admin access rule:
{
"rules": {
"adminContent": {
".read": "auth.token.admin === true",
".write": "auth.token.admin === true",
}
}
}
使用服务器上的Admin SDK设置用户角色.您可以使用自己的服务器,也可以通过云功能中的onCreate事件设置此服务器(只要您可以知道谁是管理员,谁不是管理员),等等:
Set the user role with the Admin SDK from a server. You could use your own server, or set this via an onCreate event in cloud functions (as long as you can tell who is admin and who is not from there), etc:
// Set admin privilege on the user corresponding to uid.
admin.auth().setCustomUserClaims(uid, {admin: true}).then(() => {
// The new custom claims will propagate to the user's ID token the
// next time a new one is issued.
});
这将传播到相应用户的ID令牌声明中.
This will propagate to the corresponding user's ID token claims.
要从客户端上的令牌解析它,请检查: https ://firebase.google.com/docs/auth/admin/custom-claims#access_custom_claims_on_the_client
To parse it from the token on the client, check: https://firebase.google.com/docs/auth/admin/custom-claims#access_custom_claims_on_the_client
您基本上需要对令牌的有效载荷进行base64解码.但是,如果您正在运行自己的服务器端代码,则始终依靠通过Firebase规则或ID令牌验证进行服务器端验证.
You basically need to base64 decode the payload of the token. However, always rely on server side validation via Firebase rules or ID token verification if you are running your own server side code.
这篇关于限制Firebase数据库和存储对特定组的写访问权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
