实时数据库Firebase安全规则问题 [英] Realtime Database Firebase Security rules issue
问题描述
我已经在Android Studio中创建了一个应用程序,并将其与Firebase Realtime Database链接了.我需要执行3个验证:
I have created an app in Android Studio and linked it with Firebase Realtime Database. I need to perform 3 verifications:
-
用户输入他的电话号码.和没有.已针对我的数据库进行检查(如果存在):
User enters his phone no. and the no. is checked against my database, if it exists then:
由Firebase的通知服务生成的一次PIN和电话已通过验证.
One time PIN generated by Notification service of Firebase and phone verified.
在下一个屏幕上,对照我的数据库检查用户的密码,然后最终他进入菜单屏幕.
On the next screen user's pin is checked against my database and then finally he gets to the menu screen.
现在,我对应该设置为什么安全规则感到困惑,因为身份验证是在步骤2上进行的,所以我不能使用'auth'放置规则,而没有'auth'的话,数据库将是公共的(据我所知,如果我错了,请纠正我),这是不安全的.该怎么办?
Now, I am confused as to what should I set as my security rules, as authentication is taking place on step 2 so I can't put the rules using 'auth' and without 'auth' the database will be public (as far as I know, please correct me if I am wrong) which is not safe. What can be done?
推荐答案
实际上,正如您提到的,在步骤1中没有身份验证.因此,如果要直接"读取实时数据库以检查电话号码是否存在,则无法避免所有人都可以访问列出了所有电话号码的实时数据库"节点.
Indeed, as you mentioned, at Step 1 there is no authentication. Therefore if you want to "directly" read the Real Time database to check that the phone number exists, you cannot avoid everybody having access to the Real Time Database node under which all the phone numbers are listed.
另一种选择是使用通过HTTPS调用的Cloud Function(作为REST API),并检查给定电话号码是否在授权电话号码列表中.
An other option would be to use a Cloud Function that would be called through HTTPS (as a REST API) and that checks if a given phone number is within the list of authorized phone numbers.
通过这种方式,您可以将一些限制性的读取访问规则应用于电话号码列表,因为Clouds Function将以Admin身份对其进行访问.而且,除了公开所有电话号码的列表之外,您还只能检查一个电话号码是否经过授权.
In such a way you can apply some restrictive read access rules to the list of phone numbers since the Clouds Function will access it as Admin. And instead of exposing the list of all phone numbers, you only allow to check that ONE phone number is authorized/or not.
Look at the documentation to read how to create a function that can be triggered through an HTTP request https://firebase.google.com/docs/functions/http-events
基本上,您会做类似的事情:
Basically you would do something like:
exports.checkPhoneNbr = functions.https.onRequest((req, res) => {
let phoneNumberToCheck = req.query.phoneNumber;
return admin.database().ref('/phoneNumbers/' + phoneNumberToCheck).once('value').then(snapshot => {
if (snapshot.val()) {
//the phone number exists, do something, i.e. write to another database node or send back a successful HTTP response
//i.e. res.status(200).send("PhoneNbrExists");
} else {
//i.e. res.status(200).send("PhoneNbrDoesNotExist");
}
}
}
所以:
1/您可以通过Android应用程序(通过HTTPS)调用此函数,并在函数URL的QueryString中使用电话号码
1/ You call this Function from your Android app (through HTTPS), with the phone number in the QueryString of the function URL
2/云功能检查电话号码是否存在.如果是这样,它可以发送回成功消息(或写入RT DB的另一个节点).如果没有,它将发送回失败消息.
2/ The cloud function checks the phone number exists. If so it can send back a success message (or write in a other node of the RT DB). If not it sends back a failure message.
3/在Android应用中,收到来自Cloud Function的响应后,继续(或不继续)下一步
3/ In the Android app, after receiving the response from the Cloud Function continue (or not) with the next step
还要看一下函数示例,尤其是HTTP的示例,例如:
Also, have a look at the functions samples, and in particular the HTTP ones, like:
这篇关于实时数据库Firebase安全规则问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
