锁定Firebase数据库对特定应用程序的访问 [英] Locking down Firebase DB access to specific apps
问题描述
我认为从网络上搜索这在技术上是不可能的,但是我想再次询问以防万一.
我有一个使用Firebase的应用程序.仅通过针对授权用户的安全规则来限制读写操作,但是我希望某些信息可以让未经授权的用户访问(因此,我不必在他们面前放一个登录墙,而不会造成流失).
我想知道的是,有什么方法可以锁定只有 my 应用可以调用数据库的读取访问权限吗?我知道我可以锁定域,以防止有人编写localhost爬虫,但是如何阻止某人克隆和重新设置皮肤外观并将其指向同一个后端呢?可以使用您的证书指纹来实现这一点吗?
无法将对数据库的访问限制为仅对应用程序的访问.但这与Firebase API的基于云的本质不匹配.原则上,任何知道数据库URL的人都可以访问它,而安全规则是确保所有访问权限得到授权的 方法.
请注意,安全规则不是万事俱备的方法:您可以要求登录数据库的某些部分,而使其他部分可公开阅读.但是您不能使公开可读的部分只能由您自己的应用程序读取.
以前关于同一主题的一些问题:
- 如何确保只有我自己的网站(客户端代码)才能与Firebase后端通信?(对此,我几乎是必不可少的答案)
- 如何仅允许我的应用程序无需登录即可访问Firebase?
- 限制Firebase数据库对一个Android应用程序的访问权限
- 如何允许只有我的应用程序无需登录即可访问firebase?
I think from searching the web this is not technically possible but I want to ask again in case I'm missing something.
I have an app that uses Firebase. Reading and writing is locked down through security rules for authorised users only but there's certain information I want unauthorised users to be able to access (so I don't have to put a login wall in front of them, influencing churn).
What I want to know is, is there any way of locking down this read access that only my app can call the DB? I know I can lock down domains to prevent someone writing localhost scrapers but what's to stop someone cloning and re-skinning an app and pointing it to the same back end? Is it possible to achieve this using your certificates fingerprint?
There is no way to limit access to your database to just your app. That just doesn't match with the cloud-based nature of the Firebase APIs. Anyone that knows the URL of your database can in in principle access it, and security rule are the way to ensure all access is authorized.
Note that security rules are not an all-or-nothing approach: you can require sign-in for some parts of your database, while leaving other parts publicly readable. But you can't make the publicly readable parts only be readable by your own app.
Some previous questions on the same topic:
- how to make sure only my own website (clientside code) can talk to Firebase backend? (pretty much my go-to answer for this)
- How to allow only my app to access firebase without a login?
- Restrict Firebase database access to one Android app
- How to allow only my app to access firebase without a login?
这篇关于锁定Firebase数据库对特定应用程序的访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
