管理邀请codeS与火力地堡注册 [英] Manage invite codes for registration with Firebase

问题描述

我自学AngularJS和火力地堡和正在开发的两个角色A和B.角色B中的应用程序应该只能够他们是否有一个有效的邀请code注册到网站。

I am teaching myself AngularJS and Firebase and am developing an app with two user roles A and B. Role B should only be able to register to the site if they have a valid invite code.

我使用火力地堡作为后端和AngularFire绑定。我已经建立了我与约曼发电机发电机angularfire项目。后者提供火力地堡基本的口令/简单登录身份验证方法。

I am using Firebase as a backend and AngularFire bindings. I have set up my project with the Yeoman generator generator-angularfire. The latter provides Firebase basic password / Simple Login auth method.

我的登记表已经不仅仅是电子邮件/密码更多的领域。用户ID，电子邮件，传被火力地堡内部处理和存储成功。此外，我省在成功注册的其它领域在另一个叫户口火力地堡文档：

My register form has more fields than just email/password. User Id, email, pass are handled internally by Firebase and stored successfully. Additionally, I save those other fields upon successful registration in another Firebase document called "accounts":

"accounts": {
    "simplelogin:16" : {
      "company" : "foo corp",
      "firstName" : "lorem",
      "lastName" : "ipsum",
      "type" : "userRoleA"
    },
    "simplelogin:19" : {
      "company" : "bar corp",
      "firstName" : "dolor",
      "lastName" : "sit",
      "type" : "userRoleA"
    },
    "simplelogin:17" : {
      "city" : "new york",
      "firstName" : "asd",
      "lastName" : "asd",
      "type" : "userRoleB"
    },
    "simplelogin:18" : {
      "city" : "washington",
      "firstName" : "a",
      "lastName" : "a",
      "type" : "userRoleB"
    }
}

现在，我试图找出落实邀请code功能的安全方式。我加入了一个叫火力地堡文件邀请codeS

Now I am trying to find out a secure way to implement the invite code feature. I have added a Firebase document called "inviteCodes":

"inviteCodes" : {
  "111" : {
    "generator" : "system"
  },
  "222" : {
    "generator" : "system"
  },
  "333" : {
    "generator" : "system"
  }
}

1 - 生成邀请codeS：我不能简单地把他们在火力地堡直接，因为在后面的步骤我希望用户A到能够产生这些codeS。 但我怎么能C $ CS上的火力地堡产生$没有方法暴露于前台吗我想解决这个通过添加火力地堡规则仅授予认证用户，类型为userRoleA中的帐户内文件的写入访问邀请codeS的文件。这是要走的路，还是有另一种方式？因为在这种情况下，该方法以产生codeS仍露出。

1 - Generate invite codes: I cannot simply put them in the Firebase directly, because in a later step I want users A to be able to generate these codes. But how can I generate codes on Firebase without exposing the method to the frontend? I would work around this by adding a Firebase rule to only grant authenticated users with type "userRoleA" inside the "accounts" document write access to the "inviteCodes" document. Is this the way to go, or is there another way? Because in this case the method to generate the codes is still exposed.

2 - 假设1）解决，并邀请codeS是火力地堡文件英寸在登记时，调用$的createUser方法之前，我需要检查，如果所提供的邀请code是有效的。我想查询火力地堡，并检查所提供的code匹配任何保存的邀请codeS。像这样的东西（虚拟code作说明）​​：

2 - Assuming 1) is solved and invite codes are in the Firebase document. Upon registration, before calling the $createUser method I need to check if the provided invite code is valid. I would query the Firebase and check if the provided code matches any of the saved invite codes. Something like this (dummy code for illustration):

var firebaseCodes = firebaseRefInviteCodes;
var providedCode = registrationForm.providedCode;
var isCodeValid = false;

for (var i = 0; i < firebaseCodes.length; i++) {
  if (firebaseCodes[i] === providedCode) {
    isCodeValid = true;
  }
}

但同样，在此查询所有codeS将被暴露在前端。 有没有办法检查，如果所提供的code是没有暴露所有$ C $有效CS？

谢谢你的投入。

推荐答案

为了生成邀请，我看不出有任何问题，前端这样做 - 直到它安全随机令牌生成。您也可以火力地堡生成它：

In order to generate invites, I don't see any problem having frontend doing that - until it's a secure random token generator. You can also have Firebase to generate it:

var inviteCode = firebaseRef.push().key();

安全规则是在火力地堡，以确保您的应用程序数据的有力手段。然而，为了使它们正常工作，你要设计你的数据结构以正确的方式。 '关系'数据库的做法不会在这种情况下工作。
问题是，用户A是共享只与用户B和其他没有人邀请必须能够看见他们。因此，存储所有访问codeS在一个'表'不是一个好的选择。
我认为，当用户A创建一个邀请知悉哪些用户这个邀请是。在这种情况下，你可以设计类似这样的数据结构：

Security rules is a powerful way to secure your application data in Firebase. However, in order to make them work correctly you have to design your data structure in a correct way. 'Relational' DB approach will not work in this case. The problem is that userA is sharing invites only with userB and noone else must be able to 'see' them. So storing all access codes in one 'table' is not a good option. I assume that when userA creates an invite it knows for which user this invite is for. In this case you can design data structure similar to this:

-inviteCodes
    -invitee
        -{$userB_email}
            -code: {codeValue}
            -inviterId: {userAId}
            -generator: "system"

通过这种结构，安全性规则​​可以如下：

With this structure, security rules can be as follows:

/inviteCodes/invitee - public, so userA can insert new invite code for userB

/inviteCodes/invitee/{userB_email} - write new data - public, read - private, can be accessed only by userB, e.g. data.exists() && newData.child('email').val() === $userB_email && newData.child('inviteCode').val() === data.child('code').val()

用户A谁产生的code也可以存储在code已被用于生成用户的电子邮件，那么它也可以使用电子邮件及其inviterId访问这些数据。

userA who generated the code can also store the email of the user the code has been generated for, then it can also access this data using the email and its inviterId.

在这种方式，你从来没有检索邀请其他用户。

In this way you never have to retrieve invites for other users.

这篇关于管理邀请codeS与火力地堡注册的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！