在Firebase安全规则中，如何阻止黑客运行用于注册网站的脚本?没关系，我需要他们能够注册 [英] In Firebase security rules how can you stop hackers running a script for signup to your website? bare in mind I need them to be able to signup

问题描述

在Firebase安全规则中，如何阻止黑客运行用于注册网站的脚本?没关系，我需要他们能够在我的主页上进行外部注册，所以我不能说他们需要登录.

In Firebase security rules how can you stop hackers running a script for signup to your website? bare in mind I need them to be able to signup externally on my homepage so I cannot say they need to be logged in.

通过阅读Firebase安全文档，我了解基本设置，但是我担心它的安全性不足，尤其是当有人新增了我的Firebase应用url来写入或读取数据库时.

I know the basic settings from reading Firebase security documentation but I'm worried its not secure enough, especially if someone new my firebase app url to write or read to the database.

此外，最好了解我应该具备的基本知识，这样我才能检查我是否有这些基本知识.

In addition it would be good to know the basics I should have so I can check if I do have those.

当前我具有以下设置:

{
  "rules": {
    "users": {
        ".read": "auth != null",
        ".write": true,
        ".indexOn": ["uid", "region"]    
    }
  }
}

用户可以按照我的要求进行注册，但是无法登录，除非登录后才能读取.出于性能原因，还具有一些索引.

Users can write as I need them to sign up but cannot read unless then are logged in. Also have some indexes for performance reasons.

这是我的知识停止的地方.

This is where my knowledge stops.

提前谢谢！

推荐答案

您要允许用户写，但只能写自己的用户条目.使用规则实际上很容易做到:

You want to allow users to write, but only to their own user entry. That's actually easy to do with rules:

{
  "rules": {
    "users": {
      "$uid": {
        ".read": "auth != null && auth.uid == $uid",
        ". write": "auth != null && auth.uid == $uid"
      }
    }
  }
}

这表示/user/{$uid}只能由已登录且用户ID与路径的{$uid}部分匹配的用户读取或写入.有关更多信息，请参见规则快速入门.

This says /user/{$uid} can only be read or written by a user who is signed in, and who's user ID matches the {$uid} part of the path. Take a look at the rules quickstart for more.

这篇关于在Firebase安全规则中，如何阻止黑客运行用于注册网站的脚本?没关系，我需要他们能够注册的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！