将Firebase读/写访问限制为仅限于我自己 [英] Restricting Firebase read/write access to only myself
问题描述
我有一个运行的静态网站:
$ p code $ config $ b $ apiKey: authDomain:HIDDEN
databaseURL:HIDDEN
storageBucket:
firebase.initializeApp(config)
)。
我在这里困惑吗?这是从浏览器使用Firebase进行身份验证的有效方法吗?我从他们的web教程中获得了代码,所以我认为是这样。
现在,我需要配置我的Firebase数据库规则,以便我只有我可以阅读&写下来。
我怎么能做到这一点?这个例子是否足够?
这是允许读取/写入认证用户的给定示例
{
rules:{$ b $.read:auth!= null,
.write :auth!= null
}
}
firebase.initializeApp(config)不会对您进行身份验证,它只是在Firebase服务器上标识您的项目。这是相当于你必须知道你的家庭地址,才能知道下班后去哪里。知道地址是一个先决条件,但它是不够的获得访问。 如果你想限制数据访问只有你,这意味着你必须先用Firebase标识自己。您可以使用
使用 uid 您可以控制对数据(数据库和存储)的访问。因此,如果您从控制台复制您的 uid 并将其添加到安全规则中,则只有您(或知道您的电子邮件密码的人)才能访问数据库:
{
rules:{
.read:auth.uid =='e836f712-4914 -41df-aa80-5ade6b8b7874',
.write:auth =='e836f712-4914-41df-aa80-5ade6b8b7874'
}
}
请注意,我在这段代码中添加了一个我自己的 uid 就像知道您的API密钥或数据库URL不是安全风险一样,也不知道我的 uid 。知道我是Frank van Puffelen,Stack Overflow上的 user:209103 ,并不意味着你可以冒充我。
I have a static website which runs:
config =
apiKey: "HIDDEN"
authDomain: "HIDDEN"
databaseURL: "HIDDEN"
storageBucket: ""
firebase.initializeApp(config)
in the browser (it's compiled to javacript) to authenticate with Firebase's server.
Am I confused here? Is this a valid way to authenticate with Firebase from the browser? I got the code from their "web" tutorial, so I'm figuring it is.
Now, I need to configure my Firebase database rules so that me and only me can read & write it.
How could I accomplish this? Would this example be adequate?
this is the given example for allowing read/write to authenticated users only
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
The firebase.initializeApp(config) does not authenticate you, it merely identifies your project on the Firebase servers. It's the equivalent that you must know your home address to be able to know where to go after work. Knowing the address is a prerequisite, but it is not enough to gain access.
If you want to restrict data access to "just you", that means that you must first identify yourself with Firebase. This you do with Firebase Authentication. For example, to sign in with email+password you'd do:
firebase.auth().signInWithEmailAndPassword(email, password)
Read the documentation for email+password authentication for the full steps.
Once you're authenticated, you get a unique id; a so-called uid. You can find your uid in the Auth tab of your Firebase Console.
With this uid you can control access to the data (both database and storage). So if you copy your uid from the console and add it to your security rules, only you (or someone who knows your email+password) can access the database:
{
"rules": {
".read": "auth.uid == 'e836f712-4914-41df-aa80-5ade6b8b7874'",
".write": "auth == 'e836f712-4914-41df-aa80-5ade6b8b7874'"
}
}
Note that I added one of my own uids in this snippet. Just like knowing your API key or database URL is not a security risk, neither is knowing my uid. Knowing that I am Frank van Puffelen, user:209103 on Stack Overflow, does not mean that you can impersonate me.
这篇关于将Firebase读/写访问限制为仅限于我自己的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
