如何在 Firebase 中设置规则，以便只有我的应用可以在我的数据库 Firestore 上写入? [英] How can I set Rules in Firebase so that only my app can write on my database firestore?

问题描述

Firebase 告诉我我的数据库不安全，因为我有以下规则:

Firebase told me that my Database is not secure because I had as rules:

service cloud.firestore {
 match /databases/{database}/documents {
   match /mypath/{document=**} {
    allow write: if true;
    allow read, delete: if false;
   }
  }
 }

我在读取和删除方面没有问题，因为只有我使用 FirebaseAdmin 的服务器才能执行此类操作.但是我仍然有关于写操作的问题.这就是我切换到这个配置的原因:

I do not have problem about read and delete since only my server that use FirebaseAdmin can do such operations. However I still have a problem regarding write operations. This is the reason why I switch to this configuration:

service cloud.firestore {
  match /databases/{database}/documents {
    match /mypath/{document=**} {
      allow write: if request.resource.data.psw == 'mypassword';
      allow read, delete: if false;
    }
  }
}

我的想法是在我的应用程序的配置文件中写入一个密码，并将它与我想保存在 Firestore 上的数据一起使用.这种方法安全还是有更好的方法?

my idea is to write a password in a configuration file of my app and using it together the data that I want to save on Firestore. Is this method secure or there is a better way?

提前感谢您的建议.

推荐答案

您使用的方案根本不安全，因为您要将秘密"传送到客户端应用程序.您在应用中包含的任何信息本质上都是公开信息，因为很容易分解移动或网络应用数据以查看其工作原理.

The scheme you're using isn't secure at all, since you're shipping your "secret" to client apps. Any piece of information you include in your app is essentially public information, since it's easy to break down a mobile or web app data to see exactly how it works.

安全的方法是使用 Firebase 身份验证来限制谁可以读取或写入某些数据.这是基于每个用户保护数据库的唯一方法.不可能在每个应用的基础上安全地限制对数据库的访问.

The secure way is to use Firebase Authentication to limit who can read or write certain data. This is the only way secure a database on a per-user basis. It's not possible to securely limit access to a database on a per-app basis.

还要记住，您现在拥有的内容还允许任何客户端更新任何已知文档，而无需提供密码.request.resource.data.psw 将正确设置为之前最初正确设置的更新.这是因为 request.resource.data 包含所有先前文档的内容，以及更新中添加的任何更改.

Bear in mind also that what you have now also allows any client to update any known document without providing the password. request.resource.data.psw will be set correctly for updates where it was previously initially set correctly. That's because request.resource.data contains all the prior document's content, plus whatever changes were added in the update.

如果您由于某种原因无法使用 Firebase 身份验证，那么您现在所做的就是您所能做的最好的事情，但确实应该知道它不是很安全.

If you can't use Firebase Authentication for some reason, what you're doing now is the best you can do, but it really should be known that it's not very secure.

这篇关于如何在 Firebase 中设置规则，以便只有我的应用可以在我的数据库 Firestore 上写入?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！