使用电子邮件/密码登录而不启用它 [英] Login with Email/Password without enabling it
问题描述
我当前的注册过程如下:
My current registration process looks like this:
- 应用程序通过我的REST Api向我的后端发送注册请求,其中包含用户名,密码,电子邮件等信息.
- 我的后端检查用户名是否可用.如果是,它将使用admin api创建一个新用户.如果也成功,它将用户名保存到实时数据库中.
当我想使用 loginWithEmailAndPassword
登录时,它说我不能,因为密码登录已禁用.
When I want to log in with loginWithEmailAndPassword
it says that I can't because PasswordLogin is disabled.
由于我不想让任何人仅向 registerWithEmailAndPassword
注册,所以我希望将其保持禁用状态.
Since I don't want anybody to just register with registerWithEmailAndPassword
I want to keep it disabled.
我现在的问题是,如何在不启用电子邮件/密码的情况下登录用户?启用电子邮件/密码后,甚至还有可能利用该系统?
My question now is, how can I log a user in without enabling Email/Password? Or would there even be a possibility to exploit the system when I enable Email/Password?
编辑:我不确定是否可以保证通过 registerWithEmailAndPassword
进行的注册是否来自我的应用?
EDIT: What I'm not sure about is if registrations with registerWithEmailAndPassword
are guaranteed to be from my app?
推荐答案
firebaser此处
无法将用户登录到禁用的提供程序.实际上我很惊讶您可以注册它们.
There is no way to sign the user in to a disabled provider. I'm actually quite surprised that you can register them.
启用提供商后,无法阻止用户注册.
There is no way to prevent users from registering after you enable the provider.
但是只允许您的管理员后端创建的用户访问某些数据是很容易的.只需使管理脚本将其创建的用户的UID写入白名单即可:
But it's quite easy to only allow users that your administrative back-end created access to certain data. Just make the admin script write the UID of users it creates to a whitelist:
/whitelist
uid1: true
uid2: true
然后在您的安全规则中,仅允许对列入白名单的用户进行访问:
And then in your security rules only allow access on whitelisted users:
".read": "root.child('whitelist').child(auth.uid).exists()"
这篇关于使用电子邮件/密码登录而不启用它的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!