限制对Firebase存储的访问，以便只有我的应用可以访问它 [英] Restrict access to Firebase storage so only my app can access it

问题描述

这是我的情况:1)我正在开发使用Firebase存储的iOS应用. 2)我的应用程序具有基于Facebook登录的自定义轻量级身份验证机制. 3)所有通过身份验证的用户都可以访问Firebase存储中的任何数据. 4)其他人不能.

That's my scenario: 1) I am developing an iOS app that uses Firebase storage. 2) My app has custom light-weight authentication mechanism based on Facebook login. 3) All authenticated users can access ANY data in firebase storage. 4) All others cannot.

我要做的就是确保只有我的应用可以访问存储.如果我要构建自己的服务器，则只需使用应用程序中预先设置的一些API密钥来评估每个传入的请求，这样就可以成功解析来自我的应用程序的所有请求.如果有人要使用我的API，他应该知道API密钥.

All I want is to ensure that only my app can access storage. If I would build my own server I would just evaluate each incoming request with some API Key, which is pre-set in app thus all requests coming from my app are resolved successfully. And if somebody other wants to use my API he should know API key.

我知道，这不是WEB-APP的解决方案，因为每个人都可以看到源代码(和API密钥)，但这对于没有这种可能性的移动应用程序是可以的.

I see, this is not a solution for WEB-APP, because everybody can see source code (and API key) but this is ok for mobile app, where there is no such possibility.

所以我的问题是:我应该考虑一下它还是Firebase已经基于配置文件中的APIkey进行了这项工作.如果我应该的话，您会推荐什么?

So my question is: should I bother about it or Firebase already does this work based on APIkey in config file. And in the case I should, what would you recommend?

也许我错过了firebase文档中的某些内容，但是我发现他们不清楚这个特定问题.

Maybe I missed something in firebase's docs but I found them unclear about this particular issue.

推荐答案

在正常情况下，是的，所有其他人都无法访问该存储.但是，没有什么是不可破解的".

In normal circumstances, yes, all others cannot access the storage. But, nothing is 'unhackable'.

1. 人们可以对您的应用程序进行反向工程，并获得凭据，api密钥等.因此，最好的方法是应用另一层保护，例如此(对于Android)(仅供参考).尽管如此，它还是可以入侵的，但需要花费更多的精力，通常人们会放弃对其进行攻击.

1. People could reverse engineered your app and getting the credential, api key etc. So the best way is to apply another layer of protection such as this (for iOS) and this (For Android) (just for your reference). Still, it is hackable but it takes more effort, normally people would give up attacking it.

我假设您使用的是标准的Firebase方式，该方式需要您下载配置文件.查看放置在项目中的配置文件，它使人们可以在使用api键的情况下访问firebase功能(在这种情况下为firebase存储).您可以应用双向认证(通过Firebase身份验证或Facebook身份验证)来认证真实用户.

I assume you are using the standard way of firebase which required you to download the config file. Looking into the config file you placed in the project, it allows people to access the firebase features (firebase storage in this case) under your api-key usage. You could apply 2-way factor authentication (either from firebase auth or facebook auth) to authenticate genuine users.

希望它能给您一些想法，加油！

Hope it gives you some ideas, cheers!

这篇关于限制对Firebase存储的访问，以便只有我的应用可以访问它的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！