如何使用Firebase基于查询结果执行服务器验证? [英] How to perform server validations based on query results with Firebase?
问题描述
插入记录时,我需要能够在服务器上运行一个或多个查询,如果发现任何结果,它将拒绝插入。 Firebase会让我这样做吗?
When inserting a record I need to be able to run one or more queries on the server which will reject the insert if it finds any results. Will Firebase allow me to do this? It can't be specified on the client or it could be easily subverted.
对于一个更具体的例子,我有一个Meteor应用程序,目前让我做速率限制投票与一些很简单的代码。我想在Firebase中实现这一点。 (请原谅CoffeeScript)
For a more concrete example, I have a Meteor app that currently let's me do rate limiting on votes with some pretty simple code. I would like to implement this in Firebase. (Please forgive the CoffeeScript)
@VoteFrequency =
votesPer: (sinceDelta, sinceUnit) ->
Votes.find(
pollId: @pollId
ip: @ip
createdAt:
$gte: moment().add(-sinceDelta, sinceUnit).toDate()
).count()
withinLimits: (ip, pollId) ->
@ip = ip
@pollId = pollId
# Allow x votes per y seconds
@votesPer(10, 'seconds') < 1 &&
@votesPer(1, 'hours') < 15 &&
@votesPer(1, 'days') < 150
正如您所看到的,它查询数据库中与IP地址匹配的先前投票,时间戳(使用从当前时间 - 间隔的增量计算)。如果找到任何这些限制的任何结果,它返回false,这告诉调用者不要插入新的投票。
As you can see, it queries the database for previous votes matching the IP address and more recent than a timestamp (calculated using a delta from current time - interval). If it finds any results for any of these limits, it returns false, which tells the caller not to insert the new vote.
要清楚,我不看对于我添加自己的服务器到混合的解决方案。一旦我这样做,FireBase至少失去了它对我的吸引力。
To be clear, I'm not looking for a solution where I add my own server into the mix. Once I have to do that, FireBase loses much of its appeal to me at least.
从我可以告诉到目前为止,这似乎不是我的东西
From what I can tell so far, this doesn't appear to be something I can implement just with a browser / native client and firebase alone.
推荐答案
您不能在Firebase的服务器上运行自己的代码。所以试图将一个现有的三层解决方案映射到Firebase将不仅仅是评估如何移植每个脚本。
You cannot run your own code on Firebase's servers. So trying to map an existing three-tier solution to Firebase will require more than evaluating how to port each script.
我可以看到这些主要选项:
As far as I can see you with these main options:
- 您在 Firebase的安全规则
- 您在自己的服务器上运行此代码,作为客户端和Firebase之间的中间层
- 您在自己的服务器上运行此代码,作为Firebase数据库的bot。
我会假设#1是清楚的,虽然肯定不是微不足道。例如:Firebase的安全规则不能访问客户端的IP地址,因此您必须找到一种方法(安全地)将其插入数据。此外:在Firebase安全规则中,速率限制是可能的,但不容易。
I'll assume #1 is clear, though certainly not trivial. For example: Firebase's security rules don't have access to the IP address of the client, so you'll have to find a way to (securely) insert that into the data. Also: rate-limiting is possible in Firebase security rules, but not easy.
#2可能也很清楚。但它将保持你在您当前的三层架构与自定义中间件。你只是用Firebase替换你当前的数据存储。如果这是你要找的,这绝对是最简单的迁移方法。
#2 is probably also clear. But it would keep you on your current three-tier architecture with custom middle-ware. You'd just be replacing your current data store with Firebase. If that's what you're looking for, this is definitely the simplest migration approach.
#3在此博文。在这种情况下,您可以考虑让客户端将其投票和IP地址写入暂存节点。然后,bot-script从暂存区读取它们,验证它们在规则中,并写入官方节点(常规客户端无权访问)。
#3 is described in pattern 2 of this blog post. In this case you could consider letting the clients write their vote and IP address to a "staging" node. The bot-script then reads them from the staging area, validates that they are within the rules and writes to the official node (where regular clients don't have access).
这篇关于如何使用Firebase基于查询结果执行服务器验证?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
