访问Firebase规则中的电子邮件地址 [英] accessing email address in firebase rules
问题描述
我正在使用firebase 3.
在编写firebase规则时,auth对象只包含uid和提供者。有没有什么办法,这可以增强也提供电子邮件地址?
我试图解决的问题是,该网站的所有者工作希望根据他们的电子邮件地址许可用户,因为他不会知道他们的firebase uid前面。
我已经看到了解决方案,这表明坚持用户firebase中的对象(使用电子邮件),然后将其用作规则中的参考点。
我可以看到的问题是,如果有人知道具有完全权限的用户的电子邮件地址,那么调试代码和在保存到firebase之前操作电子邮件地址将是相当容易的,这意味着它将他们的firebase id和他人的电子邮件地址一起保存。
为了保证安全,唯一的方法是在firebase的auth对象中提供电子邮件地址规则,这是不能被黑客攻击的。
我错过了什么吗?
更多信息
这个想法是,我们可以通过将位置名称添加到用户的电子邮件地址来控制对特定位置的数据访问:
- 用户由网站管理员提前手动创建,提供对数据子集的访问。
eg
-users
-user1Email
-locations
-someLocation:true
-someOtherLocation:true
-
用户通过google进行身份验证。在客户端,我们可以在auth.user.email中看到他们的电子邮件地址。
-
在规则中,我想要做一些类似于
locations:{
$ location:{
.read:root.hasChild('users /'+ auth.email +'/ locations /'+ $ location),
}
}
我知道我需要转义电子邮件地址,只是为了保持现在的简单。
我已经在模拟器中测试过了,如果我使用自定义提供程序并在其中提供电子邮件,它就可以完美工作,但是在规则中使用googleauth只具有uid和提供程序属性,而不是电子邮件。
另一种方法(除了使用自定义提供程序)是允许用户先创建自己的帐户,然后使用他们的位置添加到每个用户uid作为关键而不是他们的电子邮件地址,但主人希望能够提前设置它,所以t第一次他们马上登录它的话。
解决方案 Firebase团队仍在努力提供电子邮件auth对象,你可以在你的规则中使用 auth.token.email 进行一些限制。请看看这篇文章获取更多的细节。
如果当前的Firebase解决方案无法满足您的所有需求,则可以使用一些解决方案。
你希望保持当前的 / users 结构,无论何时注册一个新用户,都要将用户uid链接到新分支 / user_emails ,它将存储 $ uid:email 。然后您的规则将如下所示。
user_emails:{
$ uid:{
.write:auth.uid == $ uid,
.validate:!root.child('Users')。hasChild(newData.val())
}
location:
$ location $ {
.read:root.hasChild('users /'+ root.child(' ($ auth.uid).val()+'location +'+ $ location)请注意,您需要对其进行增强,以确保只有合适的用户才能编辑这个新的 user_emails 分支。
I'm using firebase 3.
When writing firebase rules, the auth object only contains the uid and the provider. Is there any way that this could be enhanced to also provide the email address?
The problem that I'm trying to solve is that the owner of the site I'm working on wants to permission users based on their email address, because he won't know their firebase uid up front.
I have seen solutions to this suggesting to persist the user object in firebase (with the email) and then use that as a reference point in the rules.
The problem I can see with that is that if someone knew the email address of a user with full privileges, it would be fairly easy to debug the code, and manipulate the email address prior to saving into firebase, which means it would save their firebase id alongside someone else's email address.
The only way I can see to make this safe is to have the email address provided in the auth object in the firebase rules, which can't be hacked.
Am I missing something?
MORE INFO
The idea is that we can control access to data for a specific location by adding the location name to a user's email address:
- A user is created ahead of time manually by the site manager, providing access to a subset of data.
e.g
-users
-user1Email
-locations
-someLocation:true
-someOtherLocation:true
The user authenticates via google. On the client side we can see their email address in auth.user.email
In the rules, I want to do something like
locations : {
"$location": {
".read": "root.hasChild('users/' + auth.email + '/locations/' + $location)",
}
}
I know I need to escape the email address, just trying to keep it simple for now.
I've tested this out in the simulator and it works perfectly if I use a custom provider and provide the email in there, but using google the "auth" in the rule only has uid and provider properties, not email.
The alternative (other than using a custom provider) is to allow the user to create their account first, and then the locations are added to each user using their uid as the key rather than their email address, but the owner wants to be able to set it up ahead of time so that the first time they log in it words straight away.
解决方案 Firebase team is still working to provide the email in the auth object and you can find it with some limitations using auth.token.email in your rules. Please take a look in this post to get more details.
If the current firebase solution doesn't handle all your needs there is some options to workaround.
Since you want to keep your current /users structure you could, whenever registering a new user, link the user uid to the corresponding email in a new branch /user_emails that will simply store $uid: email. Then your rules will look like the following.
"user_emails": {
"$uid": {
".write": "auth.uid == $uid",
".validate": "!root.child('Users').hasChild(newData.val())"
}
},
"locations": {
"$location": {
".read": "root.hasChild('users/' + root.child('user_emails').child(auth.uid).val() + '/locations/' + $location)"
}
}
Keep in mind that you will need to enhance them to ensure that only the right users will be able to edit this new user_emails branch.
这篇关于访问Firebase规则中的电子邮件地址的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
