Firebase电子邮件说我的实时数据库有不安全的规则 [英] Firebase email saying my realtime database has insecure rules

问题描述

我最近收到了来自Firebase的电子邮件，告诉我我的实时数据库具有不安全的规则.这些是我设置的规则:

{
  "rules": {
    ".read": "auth != null",
    ".write": "auth != null"
 }
}

这不是安全规则吗?

电子邮件/密码是我启用的唯一登录方法.

解决方案

firebaser此处

对于电子邮件中关于这些规则的不安全之处不是很明确的情况，我们深感抱歉.保护用户数据对于任何可用的应用程序都是至关重要的一步，因此，我将在下面尝试进一步说明其工作原理.

您拥有的(默认)规则允许登录到您的后端的任何人对整个数据库具有完全的读/写访问权限.这只是一个非常基本的安全层.

一方面，这比仅授予每个人访问数据库的权限更为安全，至少他们必须登录.

另一方面，如果您在Firebase身份验证中启用了任何身份验证提供程序，则即使没有使用您的应用程序，任何人都可以登录到您的后端.取决于提供程序，这就像在浏览器的开发人员控制台中运行一些JavaScript一样容易.登录后，他们就可以读取和写入数据库中的任何内容.这意味着他们可以使用firebase.database().ref().delete()这样的简单命令删除所有数据.

要使数据访问更加安全，您将需要更严格地控​​制每个登录用户可以执行的操作.例如，假设您在/users下保留了一个配置文件，其中包含有关每个用户的信息.您可能希望允许所有用户访问这些配置文件，但是您绝对只希望允许用户修改自己的数据.您可以使用以下规则对此进行保护:

{
  "rules": {
    "users": {
      ".read": true,
      "$user_id": {
        // grants write access to the owner of this user account
        // whose uid must exactly match the key ($user_id)
        ".write": "$user_id === auth.uid"
      }
    }
  }
}

使用这些规则，每个人(甚至未经身份验证的用户)都可以读取所有配置文件.但是每个配置文件只能由其配置文件的用户修改.有关更多信息，请参见有关保护用户数据的Firebase文档. /p>

除了确保对所有数据的访问均得到授权外，您还需要确保存储的所有数据对您的应用程序所适用的任何规则均有效.例如，假设您要为用户存储两个属性:其名称和年龄(仅出于示例原因，实际上，您可能会存储其出生日期).因此，您可以将其存储为以下内容:

"users": {
  "uidOfPuf": {
    "name": "Frank van Puffelen",
    "age": 48
  }
}

要确保只能写入此数据，可以使用以下规则:

{
  "rules": {
    "users": {
      ".read": true,
      "$user_id": {
        ".write": "$user_id === auth.uid",
        ".validate": "data.hasChildren('name', 'age')",
        "name": {
          ".validate": "data.isString()",
        },
        "age: {
          ".validate": "data.isNumber()",
        },
        "$other: {
          ".validate": false
        }
      }
    }
  }
}

这些规则确保每个用户配置文件都具有分别包含字符串和数字值的name和age属性.如果有人尝试编写任何其他属性，则该写操作将被拒绝.

以上内容是有关如何考虑保护您(用户)数据的快速入门.我建议您查看 Firebase安全文档(和嵌入式视频)以了解更多信息

I recently received an email from firebase telling me that my realtime database has insecure rules. These are the rules that I have set:

{
  "rules": {
    ".read": "auth != null",
    ".write": "auth != null"
 }
}

Is this not a secure rule?

Email/Password is the only sign-in method that I have enabled.

解决方案

firebaser here

I'm sorry if the email wasn't very explicit about what isn't secure about those rules. Securing your user's data is a crucial step for any app that you make available, so I'll try to explain a bit more about how that works below.

The (default) rules you have allow anyone who is signed in to your back-end full read/write access to the entire database. This is only a very basic layer of security.

On the one hand this is more secure than just granting everyone access to your database, at least they have to be signed in.

On the other hand, if you enable any auth provider in Firebase Authentication, anyone can sign in to your back-end, even without using your app. Depending on the provider, this can be as easy as running a bit of JavaScript in your browser's developer console. And once they are signed in, they can read and write anything in your database. This means they can delete all data with a simple command like firebase.database().ref().delete().

To make the data access more secure, you'll want to more tightly control what each signed-in user can do. For example, say that you keep a profile with information about each user under /users. You might want to allow all users to access these profiles, but you definitely want users to only be allowed to modify their own data. You can secure this with these rules:

{
  "rules": {
    "users": {
      ".read": true,
      "$user_id": {
        // grants write access to the owner of this user account
        // whose uid must exactly match the key ($user_id)
        ".write": "$user_id === auth.uid"
      }
    }
  }
}

With these rules, everyone (even non-authenticated users) can read all profiles. But each profile can only be modified by the user whose profile it is. For more on this, see the Firebase documentation on securing user data.

In addition to ensuring that all access to data is authorized, you'll also want to ensure that all data stored is valid to whatever rules you have for you app. For example, say that you want to store two properties for a user: their name, and their age (just for the sake of the example, in reality you'd probably store their date-of-birth instead). So you could store this as something like:

"users": {
  "uidOfPuf": {
    "name": "Frank van Puffelen",
    "age": 48
  }
}

To ensure only this data can be written, you can use this rules:

{
  "rules": {
    "users": {
      ".read": true,
      "$user_id": {
        ".write": "$user_id === auth.uid",
        ".validate": "data.hasChildren('name', 'age')",
        "name": {
          ".validate": "data.isString()",
        },
        "age: {
          ".validate": "data.isNumber()",
        },
        "$other: {
          ".validate": false
        }
      }
    }
  }
}

These rules ensure that each user profile has a name and age property with a string and numeric value respectively. If someone tries to write any additional properties, the write is rejected.

Above is a quick primer on how to think about securing your (user's) data. I recommend that you check out the Firebase security documentation (and the embedded video) for more.

这篇关于Firebase电子邮件说我的实时数据库有不安全的规则的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！