Firebase安全规则阻止写入Firebase [英] Firebase Security Rules Block Writing to Firebase
问题描述
polymer
,因为Polymer库用于生成Javascript。 p> 这个问题涉及两个不同但相关的问题,涉及Firebase安全性。问题1和问题2在尝试获取Firebase安全规则时似乎表明了相反的现实和相反的结果。 (FWIW:这是我以前不成功的尝试写这个问题。)
http://jsbin.com/hinehoyigo/edit? HTML,输出
问题1
Firebase安全规则阻止写入Firebase
说明
- 输入您的Firebase ID。例如:hot-sauce-123
- 在新的标签页或窗口中,转到您的firebase并打开它
- 允许匿名认证:
您的firebase
>登入&验证
>匿名标签
>选中启用匿名用户验证 - 不应用安全规则:安全性和安全性规则>
{
规则:{
.read:true,
.write:true
$ b -
- 返回到jsbin
- 选择anonymous作为auth提供者:下拉菜单>匿名
- 点击标有login的按钮
- 确认每个字段的登录状态正确 li>打开您的控制台:Chrome> View> Developer> Developer Tools
- 点击标签为打印用户到控制台的按钮 通过验证打印到控制台的用户对象
- 单击标记为将Firebase打印到控制台的按钮
- 通过检查打印到控制台的Firebase URL来验证Firebase是否正确li>
- 点击标记为写入Firebase - 纯文字网址的按钮
- 检查您的Firebase数据;通知没有发生写入
- 点击标记为写入Firebase - .json的URL按钮
- 检查您的Firebase数据;注意成功写入
- 区分两次写入尝试,因为之前尝试写入{quux:baz};
后尝试写{jquux:jbaz} - 添加安全规则:Security&规则>
{
rules:{
users:{
$ uid:{
.read: auth!= null && auth.uid === $ uid,
.write:auth!= null && auth.uid === $ uid
}
}
}
}
- 再次点击标记为写入Firebase - .json网址的按钮
- 检查您的Firebase数据;结束语/问题陈述:Firebase安全规则会阻止写入Firebase。 b
- 打开Firebase 验证安全规则到位问题1中的#19)...
- 打开你的模拟器:垂直导航菜单>模拟器
- 检查单选按钮Custom Auth / li>
- 自定义验证输入字段应该读取类似于
的内容{provider:'anonymous',uid:'ag69g401-f097-4171-bca4-927fd1a6e1f3'}
- 单击标有身份验证的按钮
- 确认标有自定义身份验证的单选按钮旁边的绿色复选标记到第2部分
- 点击标签为写入的标签
- 在输入字段请输入users / ag69g401-f097-4171-bca4-927fd1a6e1f3 / foo / bar。
- 验证刚输入的URL路径中的用户标识,点击标签为模拟写入的按钮
注意响应表示类似于:
尝试用auth写入<用户名> / <用户名> / <用户名> / <用户名> / <用户名> / <用户名> / <用户名/密码> = {provider:anonymous,uid:ag69g401-f097-4171-bca4-927fd1a6e1f3}
/
/ users
/users/ag69g401-f097-4171-bca4-927fd1a6e1f3:.write:auth!= null && auth.uid === $ uid
=> true
允许写入。
- 注意:这个结果与上述步骤#14和#15的结果相反,其中普通URL(不带.json附加)未能写入
将.json附加到URL中,以便输入字段的内容类似于
users / ag69g401-f097-4171-bca4-927fd1a6e1f3 / foo / bar.json
- 单击标有模拟写入的按钮
注意响应表示如下所示:
路径无效。模拟中止。
- 注意:上述步骤#16和#17的结果相反,只有.json附加的URL是唯一可用的;
- 注意,这些模拟器测试的结果与上述问题#1中的实际代码测试结果相反:
- 您可以在模拟器中或使用 Firebase SDK 访问
https ://mine.firebaseio.com/users/de01fc8104
- 要使用 REST API 访问记录,URL是
https://mine.firebaseio.com/users/de01fc8104.json
- Enter your firebase ID. Example: "hot-sauce-123"
- In a new tab or window, go to your firebase and open it
- Allow anonymous auth: Your firebase > Login & Auth > Anonymous tab > Check "Enable Anonymous User Authentication"
- Apply no security rules: Security & Rules >
{ "rules": { ".read": true, ".write": true } }
- Return back to jsbin
- Select "anonymous" as auth provider: dropdown menu > anonymous
- Click button labeled "login"
- Verify login status per fields to right
- Open your console: Chrome > View > Developer > Developer Tools
- Click button labeled "Print User to console"
- Double-check login status by verifying user object printed to console
- Click button labeled "Print Firebase to console"
- Verify correct firebase by checking Firebase URL printed to console
- Click button labeled "Write to Firebase — Plain Url"
- Check your firebase data; notice no write occured
- Click button labeled "Write to Firebase — .json Url"
- Check your firebase data; notice successful write
- Distinguish the two write attempts because former attempts to write {"quux":"baz"}; latter attempts to write {"jquux":"jbaz"}
- Add security rules: Security & Rules >
{ "rules": { "users": { "$uid": { ".read": "auth != null && auth.uid === $uid", ".write": "auth != null && auth.uid === $uid" } } } }
- Click again the button labeled "Write to Firebase — .json Url"
- Check your firebase data; notice write NOW FAILS
- Conclusion / Problem Statement: Firebase security rules block writing to Firebase.
- Open your Firebase
- Verify security rules are in place (see above step #19 in Problem #1)...
- Open your simulator: Vertical Navigation Menu > Simulator
- Check radio button labeled "Custom Auth"
- Custom Auth input field should read something like "{ provider: 'anonymous', uid: 'ag69g401-f097-4171-bca4-927fd1a6e1f3' }"
- Click button labeled "Authenticate"
- Verify little green check mark is next to radio button labeled "Custom Auth"
- Go to section 2
- Click tab labeled "Write"
- In input field labeled URL, enter "users/ag69g401-f097-4171-bca4-927fd1a6e1f3/foo/bar"
- Verify the user ID in the URL path you just entered, matches the uid value in the above Custom Auth field
- Click button labeled "Simulate Write"
-
Notice response says something like:
Attempt to write{"key":"value"} to /users/ag69g401-f097-4171-bca4-927fd1a6e1f3/foo/bar
withauth={"provider":"anonymous","uid":"ag69g401-f097-4171-bca4-927fd1a6e1f3"}
/ /users /users/ag69g401-f097-4171-bca4-927fd1a6e1f3:.write: "auth != null && auth.uid === $uid" => true
Write was allowed.
- Notice: This result is the opposite result from above steps #14 and #15 where the plain URL (without .json appended) failed to write
- Append ".json" to the URL so the input field reads something like "users/ag69g401-f097-4171-bca4-927fd1a6e1f3/foo/bar.json"
- Click button labeled "Simulate Write"
-
Notice response says something like:
Invalid path. Simulation aborted. - Notice: This result is the opposite result from above steps #16 and #17 where the .json appended URL was the only one that worked;
- Notice these simulator tests suggest the opposite results than those tested from the live code in above Problem #1
- You can access that record in the simulator or with a Firebase SDK as
https://mine.firebaseio.com/users/de01fc8104
- To access the record using the REST API, the URL is
https://mine.firebaseio.com/users/de01fc8104.json
问题2
模拟器块.json正在使用的URL(如上所述)
说明
问题1
您正在使用Polymer firebase-auth
元素进行身份验证与Firebase。
< firebase-auth id =firebaseLogin
user ={{user}}
...
这个调用的是 Firebase.authAnonymously()
方法,用于验证当前会话 Firebase JavaScript SDK 。
<您正在使用以下方式向Firebase写信:
computeFbTargetJson:function(f){
return f +' JSON;
code $
$ b $ p
$ pre> this.set('$。ajax.url',this.fbTargetJson);
this.set('$。ajax.body',JSON.stringify({
jquux:'jbaz'
}));
this。$。ajax.generateRequest();
这是向Firebase发出一个AJAX请求,这意味着您正在使用 Firebase的REST API 。但是,由于这是一个普通的HTTP调用,因此它不会继承Firebase JavaScript客户端的身份验证。
要验证您的REST请求,您需要传入 auth $ Firebase文档中记录的c $ c>参数
。您可以使用 ref.getAuth()来获取Firebase引用中的令牌。令牌
。
h1>
Firebase数据库中的每个元素都可以通过唯一的URL访问。您可以使用其中一个Firebase SDK访问它,也可以直接访问Firebase公开的REST API。
从jsbin中可以得到的信息,到Firebase使用:
computeFbTargetJson:function(f){
return f +'.json';
code $
$ b $ p
$ pre> this.set('$。ajax.url',this.fbTargetJson);
this.set('$。ajax.body',JSON.stringify({
jquux:'jbaz'
}));
this。$。ajax.generateRequest();
这是向Firebase发出一个AJAX请求,这意味着您正在使用 Firebase的REST API 。该API文档的第一段介绍了Firebase数据库网址如何映射到REST API:
$ b
我们可以将任何Firebase应用程序网址用作REST端点。我们需要做的就是将.json附加到URL的末尾,并发送来自我们最喜欢的HTTPS客户端的请求。
要使用REST API访问Firebase中的任何数据,请在该数据的网址中追加 .json
。
当您使用Firebase模拟器时,操作与使用Firebase的JavaScript SDK类似。在这种情况下,你不应该把 .json
后缀放在URL的后面。
Firebase数据库位于 https://mine.firebaseio.com/
,假设您的用户个人资料位于 / users / de01fc8104
。
总结
您的问题都是由于您使用了两种不同的方式来访问Firebase:JavaScript SDK和REST API。虽然这两种方法可以一起使用,但您必须确保提供所需的信息。一般而言,如果您坚持使用单一客户端访问Firebase的一种方式,您将获得更轻松的体验。
Note: This question is tagged polymer
because the Polymer library is used to generate the Javascript.
This question is about two different but related problems dealing with Firebase security. Problem 1 and Problem 2 seem to suggest opposite realities and opposite results when trying to get the Firebase security rules to work. (FWIW: Here is my prior unsuccessful attempt to write this question.)
Here is the live code in a JSBin.
http://jsbin.com/hinehoyigo/edit?html,output
Problem 1
Firebase Security Rules Block Writing to Firebase
Instructions
Problem 2
Simulator blocks .json URL from being used (as required above)
Instructions
Problem 1
You're using the Polymer firebase-auth
element to authenticate with Firebase.
<firebase-auth id="firebaseLogin"
user="{{user}}"
...
Under the hood this calls the Firebase.authAnonymously()
method, which authenticates the current session in the Firebase JavaScript SDK.
You're writing to Firebase using:
computeFbTargetJson: function(f) {
return f + '.json';
}
and
this.set('$.ajax.url' , this.fbTargetJson);
this.set('$.ajax.body' , JSON.stringify({
jquux: 'jbaz'
}));
this.$.ajax.generateRequest();
This is doing an AJAX request to Firebase, which means that you're using Firebase's REST API. But since this is a regular HTTP call, it will not "inherit" then authentication from the Firebase JavaScript client.
To authenticate your REST request, you will need to pass in an auth
parameter as documented in the Firebase documentation. You can get the token from the Firebase reference using ref.getAuth().token
.
Problem 2
Each element in your Firebase database is accessibly by a unique URL. You can either access it with one of the Firebase SDKs or by directly accessing the REST API that Firebase exposes.
From what I can gather from the jsbin, you're writing to Firebase using:
computeFbTargetJson: function(f) {
return f + '.json';
}
and
this.set('$.ajax.url' , this.fbTargetJson);
this.set('$.ajax.body' , JSON.stringify({
jquux: 'jbaz'
}));
this.$.ajax.generateRequest();
This is doing an AJAX request to Firebase, which means that you're using Firebase's REST API. The first paragraph of that API documentation explains how Firebase database URLs map to the REST API:
We can use any Firebase app URL as a REST endpoint. All we need to do is append .json to the end of the URL and send a request from our favorite HTTPS client.
So in order to access any data in Firebase using the REST API, you append .json
to the URL of that data.
When you're using the Firebase Simulator, the operation is similar to using Firebase's JavaScript SDK. In that case, you should not put the .json
suffix at the end of the URL.
So given a Firebase database at https://mine.firebaseio.com/
, say you have a user profile at /users/de01fc8104
.
Summary
Both of your problems are caused by the fact that you're using two different ways of accessing Firebase: the JavaScript SDK and the REST API. While these two methods can be used together, you will have to ensure you provide the information that is needed. In general you will have an easier experience if you stick to using one way of accessing Firebase from a single client.
这篇关于Firebase安全规则阻止写入Firebase的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!