当不需要站点登录时,将数据库(Cloud Firestore)保持不安全状态是否可以接受? [英] Is it acceptable to leave a database (Cloud Firestore) unsecured when no site login is required?
问题描述
我正在用Angular构建游戏,并且(有史以来第一次)我试图添加一个高分表.我已经建立了一个Firebase帐户,并使一个Firestore (Beta)数据库正常工作并被连接起来.
I'm building a game with Angular and (for the first time ever) I'm trying to add a high score table. I have set up a Firebase account and got a Firestore (Beta) database working and hooked up.
我想要一个非常简单的高分系统.不需要用户登录或创建帐户,您只需打开,播放,然后在得分高的情况下输入您的姓名,它就会被记录并显示在表格中.
I want a very simple high score system. Users will not be required to log in or create an account, you simply turn up, play and then, if you achieve a high score, enter your name and it is recorded and displayed in the table.
所以我的问题是-在不需要登录并且仅保存基本的 name/score/timestamp 数据的情况下,是否可以仅保留我的安全规则如下?构造它们的更好方法?
So my question is - in a situation where no login is required and only basic name/score/timestamp data is saved, is it acceptable to just leave my security rules as below or is there a better way to structure them?
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write;
}
}
}
按原样,我得到一个警告,我的数据库对带有引用的任何人开放,但是在我的特定情况下,这真的很糟糕吗?是否存在我看不到数据库newb的问题?
As they are, I get a warning that my database is open to anyone with the reference but is this really so bad in my particular situation? Are there issues with this that I'm not seeing as database newb?
任何建议都会很棒,因为这对我来说是新的(且复杂的)领域.
Any advice would be great as this is new (and complex) territory for me.
欢呼
推荐答案
我希望我可以在此处使用带有红色闪烁的带下划线的文本,但是您绝对不应该将这个规则集保留在数据库中.
I wish I could use red blinking underlined text here, but you should definitely not leave your database with this ruleset in place.
任何玩您的游戏的人都会看到您的数据库.使用您拥有的规则集,任何人都可以将任何内容读写到数据库(而不仅仅是计分板).您将被允许任何人使用您的数据库来运行自己的系统,而费用将计入您的帐户.
Anyone who plays your game will see your database. With the ruleset you have, anyone can read and write anything to the database (not just your score board). You'll be allow anyone to run their own system using your database, with the costs being charged to your account.
至少,鉴于您提供的描述,您应该:
At a minimum, given the description you've provided, you should:
- 仅允许阅读&写入您的计分板集合
- 验证分数是有效值(例如,整数并在一定范围内
- 验证名称是否为有效值(有助于防止可能的XSS攻击)
- 除了将
score和name写入文档之外,无需验证其他任何字段(因此人们无法隐藏其他有效负载).
- Only allow reading & writing to your score board collection
- Validate the score is a valid value (e.g. an integer and within a certain range
- Validate the name is a valid value (help protect against possible XSS attacks)
- Validate no extra fields other than
scoreandnamebe being written to a document (so people can't hide other payloads).
这篇关于当不需要站点登录时,将数据库(Cloud Firestore)保持不安全状态是否可以接受?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
