限制Firestore对admin-sdk的访问 [英] Restrict firestore access to admin-sdk

查看:61
本文介绍了限制Firestore对admin-sdk的访问的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在基于 VueJs (针对 UI )和 NodeJs (针对后端(将在Google Cloud Platform中运行)+ Firestore (用于 auth +数据库).

I am designing an application (let's call it a TodoList app) based on VueJs (for the UI) + NodeJs (for the backend, which will run in Google Cloud Platform) + Firestore (for the auth + database).

我徘徊在Google庞大的文档中(有时是多余的!)来实现某些可行的方法,但我不确定它是否可以保证生产.

I have wandered through the huge documentation of Google (sometimes redundant!) to achieve something that should work but I am not sure it's production-proof.

情况:

  • 由于对Firebase进行了基于密码的身份验证,因此用户已经登录了我的VueJs应用程序(并且该用户的凭据(包括他的accessToken)存储在我的Vuex存储中).
  • Firebase Admin SDK正在后端运行.
  • 我的VueJs应用正在请求我的后端.
  • 后端验证在客户端中发送的accessToken -附带请求
  • 由于有了Admin SDK,我的后端才请求我的Firestore数据库
  • A user has signed-in on my VueJs app thanks to the password-based authentication of Firebase (and the user's credentials, including his accessToken, are stored in my Vuex store).
  • The Firebase Admin SDK is running on my backend.
  • My VueJs app is requesting my backend.
  • The backend verifies the accessToken sent in the client-side request
  • It is my backend that request my Firestore database thanks to the Admin SDK

我在Firestore数据库上设置了一些安全规则:

I have set some security rules on my Firestore database:

service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{userId}/{document=**} {
      allow read, write: if request.auth.uid == userId;
    }
  }
}

所以我不希望任何登录的用户访问另一个用户的数据.

so that I don't want any logged users to access data from another user.

问题:

由于Firebase Admin SDK对我的Firestore数据库具有完全特权,因此我如何确保不会出现任何安全问题.现在,我只是在验证请求中发送的accessToken到我的后端,但是...令我感到不舒服!

As the Firebase Admin SDK has full privilege on my Firestore database, how can I make sure there won't be any security issues. For now, I am just verifying the accessToken sent in the request to my backend, but ... something makes me feel wrong with this!

代码:

在客户端:

auth.onAuthStateChanged((user) => {
  if (user) {
    // Save the user credentials
  }
}

在服务器端:

// idToken comes from the client app (shown above)
// ...
admin.auth().verifyIdToken(idToken)
  .then(function(decodedToken) {
    var uid = decodedToken.uid;
    // Retrieve or add some data in /users/{userId}/{document=**}
  }).catch(function(error) {
    // Handle error
  });

如您所见,一旦我验证了accessToken并检索了uid,就可以在数据库上执行任何操作.

As you can see, once I validate the accessToken and retrieve the uid, I can do anything on my database.

参考

  • https://firebase.google.com/docs/admin/setup
  • https://firebase.google.com/docs/auth/admin/verify-id-tokens
  • https://firebase.google.com/docs/reference/admin/node/admin.firestore

感谢您的帮助!

推荐答案

管理SDK将始终具有对数据库的完全访问权限.

由于客户端从不直接访问Firebase,因此应完全禁用对所有文档的访问.您的API仍然可以访问

Since the client is never accessing Firebase directly, you should totally disable access to all documents. Your API will still have access

match /{document=**} {
  allow read, write: if false;
}

这篇关于限制Firestore对admin-sdk的访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆