Firebase对象密钥可以猜测吗? [英] Are Firebase Object Keys Guessable?

问题描述

说我有这样的数据:

users{
 $authId: {
     name:"",
     propertiesById:{
          uniqueId1:true,
          uniqueId2:true
     }
 }
},
properties:{
     uniqueId1:{
        key:val
     },
     uniqueId2:{
        key:val
     }
 }

假设我有适当的规则让用户只能读取/写入自己的用户对象，那么如何安全地读取属性?

Assuming that I have the proper rules in place for users to be able to only read/write their own user object, how do I go about reading my properties safely?

我知道在规则中，我可以进入root用户，找到用户对象，并确保我要读取的属性存在于propertiesById中，但这似乎会影响性能，因为它们将非常大属性集合.

I know that in rules, I can go to root, find the user object and ensure that the property that I'm trying to read exists in the propertiesById, but that seems like it would impact performance since these will be very large collections of properties.

如果可能的话，我将如何写一条规则说:用户不能仅通过密钥单独获取整个属性集合".另外，如果我能够编写此规则，那会安全吗?我不清楚很难猜出Firebase push()生成的密钥.

How would I, if at all possible, go about writing a rule that says: "users cannot grab the entire properties collection, only individually by key". Also, if I were able to write this rule, would it be safe? I'm unclear on difficult it would be to guess the keys generated by firebase push().

推荐答案

虽然Firebase推送ID很难猜测，但绝对可以猜测.您不应该依赖用户无法猜测推送ID的安全性.

While Firebase push IDs are hard to guess, they are definitely guessable. You should not rely on the user not being able to guess a push ID for security.

尽管如此，精确地做到这一点很容易:

Given that though, it is very easy to do precisely that:

{
  "rules": {
    "properties": {
      "$uniqueId": {
        ".read": true,
        ".write": true
      }
    }
  }
}

这些规则允许任何用户读取任何特定的属性，只要他们知道该属性存在.因此，没有人可以阅读/properties，但是每个人都可以阅读/properties/uniqueId1和/properties/uniqueId2.

These rules allow any user to read any specific property, as long as they know that property exists. So no-one can read /properties, but everyone can read /properties/uniqueId1 and /properties/uniqueId2.

但是再说一次:这不安全，因为推送ID在某种程度上可以合理猜测.

But again: this is not secure as push IDs are at some level reasonably guessable.

摘自 Firebase博客文章，其中介绍了推送编号:

我们还遇到有关开发人员是否可以依靠推送ID使其他人无法猜测的问题，如果您尝试通过无法猜测的Firebase路径进行安全性保护，则这一点很重要.通常很难猜测推送ID，但是如果您依赖不可猜测的ID，则应该使用更安全的机制自己生成它们.

We also get questions on whether developers can rely on push IDs to be unguessable by others, which can be important if you're trying to do security via unguessable Firebase paths. While push IDs are generally very hard to guess, if you’re relying on unguessable IDs you should generate them yourself using a more secure mechanism.

这篇关于Firebase对象密钥可以猜测吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！