授权请求来源不限制 Firebase 中的域访问? [英] Authorized Request Origins is not restricting domain access in Firebase?
问题描述
我正在使用 AngularFire + Firebase 构建应用程序.
为了防止从应用程序域以外的域创建和验证新用户,我尝试使用 Firebase 中的 Authorized Request Origins 功能.
目前,它仅配置为允许来自 localhost 的身份验证.但是,当我使用应用程序域中的 createUser API 创建新用户时,该用户会在我的 Firebase 中创建.
这不应该发生,因为我使用了 "err" from createUser is null.
还有什么我需要配置的吗?
[Engineer at Firebase] 授权请求源实际上仅适用于基于 OAuth 的身份验证提供程序(即 Facebook、Twitter 和 GitHub),尽管您的困惑是鉴于我们当前的界面,绝对有保证.电子邮件和密码身份验证不受同源验证的约束,因为它不易受到利用 Facebook、Twitter 等现有登录信息的恶意网站的攻击.</p>
请记住,电子邮件/密码身份验证只会创建电子邮件地址到密码哈希的映射,并在登录时生成相应的 Firebase 身份验证令牌.它不会从您的 Firebase 读取或写入任何数据,并且您的 Firebase 仍受您为应用程序编写的相同安全规则的约束.如果您有其他问题,请随时联系 support@firebase.com,或者我们可以以任何方式提供帮助.
I'm building an application using AngularFire + Firebase.
To prevent new users from being created, and authenticated, from domains other than my application's domain, I'm trying to use the Authorized Request Origins feature in Firebase.
Currently, it is only configured to allow authentication from localhost. However, when I create a new user using the createUser API from my application's domain, the user gets created in my Firebase.
This should not happen since I used "err" from createUser is null.
Is there anything else I need to configure?
[Engineer at Firebase] The authorized request origins is actually only applicable to the OAuth-based authentication providers (i.e. Facebook, Twitter, and GitHub) though your confusion is definitely warranted given our current interface. E-mail and password authentication is not subject to the same origin verification because it is not vulnerable to a malicious site taking advantage of an existing login on Facebook, Twitter, etc.
Keep it mind that email / password authentication only creates a mapping of an email address to a password hash, and generates a corresponding Firebase authentication token upon login. It does not read or write any data to / from your Firebase, and your Firebase is still subject to the same security rules that you've written for your application. Feel free to reach out to support@firebase.com if you have other concerns, or we can help out in any way.
这篇关于授权请求来源不限制 Firebase 中的域访问?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
