如何prevent客户提供从修改火力点数据（在Web的应用程序，而不后端）？ [英] How to prevent customers from modifying firebase data (in web-application without backend)?

问题描述

我最近开始探索火力为我的角度JS单页网站身份验证解决方案，它似乎完美的。但是从安全的角度来看，我不是很肯定我的应用程序保持在客户端的逻辑。

I've recently starting exploring firebase as a authentication solution for my angular JS single-page website, and it seems perfect. However from a security perspective I'm not very sure about keeping the logic on client-side in my application.

假设我有一个检查'isProfileCompleted'的迹象谁，在我的网站，应该完成他的个人资料客户。我保持与客户独占写访问的UID键入的一个JSON数据只。

Suppose I have a check 'isProfileCompleted' for a customer who signs-up on my website, and is supposed to complete his profile. I'm keeping the data in a JSON keyed by the UID with exclusive write access to the customer only.

问题是，现在的客户端有写访问他的数据，他可以简单地通过在浏览器的JavaScript修改绕过客户端验证检查。此外，客户可以轻松地更新自己的ACCOUNT_TYPE到作者/主持人，因为这是他的数据。难道火力提供了一个解决这个问题的？

The problem is, now that the client has write access to his data, he can easily bypass client side validation checks by simply modifying javascript in his browser. Also, the client can easily update his account_type to author/moderator, as it's his data. Does firebase provide a solution to this problem?

让我知道，如果现在还不清楚，所以我会尝试进一步阐述。

Let me know if it's not clear, so I will try to elaborate further.

感谢。

推荐答案

您可以确保与安全规则的数据。

火力地堡安全规则是一个前pression（是否真正的计算结果为真/假）的规则住火力地堡服务器上，验证当前用户是否可以访问您的数据的语言。

Firebase Security Rules are an expression (does the true evaluate to true/false) based rules language that live on a Firebase server and validate whether the current user can access your data.

看看下面的数据结构：

{
  // the users of the app
  "users": {
    "1": {
      "name": "Sanjay",
      "isProfileCompleted": true
    },
    "2": {
      "name": "David",
      "isProfileCompleted": false
    }
  }
}

在默认情况下任何人都可以读取或写入数据到你的火力地堡数据库。为了解决这个问题，你可以编写安全规则。

By default anyone can read or write data to your Firebase database. To fix this you can write security rules.

安全规则有本质上的数据结构的注解：

Security Rules are essentially an annotation on your data structure:

{
  "rules": {
     "users": { // /users is read only
       ".read": true,
       ".write": false
     }
   }
}

安全规则给你访问一组服务器变量来检查你的规则对抗。最常用的一个是 AUTH 变量，它可以让你检查对当前已验证用户。您还可以创建通配符变量与 $ ，其作用路由参数创建。

Security Rules give you access to a set of server variables to check your rules against. The most commonly used one is the auth variable which lets you check against the currently authenticated user. You can also create wildcard variables with the $, which acts a route parameter creating.

{
  "rules": {
    "users": {
      // users can read and write their own data, but no one else. 
      "$uid": {
        ".read": "auth.uid == $uid",
        ".write": "auth.uid == $uid"
      }
    }
  }
}

您甚至可以编写规则来验证数据的结构。

You can even write rules to validate the structure of your data.

{
  "rules": {
    "users": {
      // users can read and write their own data, but no one else. 
      "$uid": {
        ".read": "auth.uid == $uid",
        ".write": "auth.uid == $uid",
        ".validate": "newData.hasChildren(['name', 'isProfileCompleted']),
          "name": {
            ".validate": "newData.isString()"
          },
          "isProfileCompleted": {
             ".validate": "newData.isBoolean()"
           }
      }
    }
  }
}

但博尔特的编译器是这个一个更好的解决方案，如它允许你创建类型定义架构。

But the Bolt compiler is a better solution for this, as it allows you to create Types to define schema.

您可以写你的安全规则的火力地堡应用信息中心，或者您可以通过火力地堡CLI

You can write your Security Rules in the Firebase App Dashboard or you can upload them via the Firebase CLI.

这篇关于如何prevent客户提供从修改火力点数据（在Web的应用程序，而不后端）？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！