使用电子邮件/密码进行Firebase简单身份验证 [英] Firebase simple authentication with email/password

问题描述

我是Firebase的新手，我正在尝试使用电子邮件/密码设置简单的身份验证系统.最初的概念很简单:您注册.然后，登录后，您可以访问其余的移动应用程序.

I'm new to Firebase and I'm attempting to set-up a simple authentication system using e-mail/password. The initial concept is simple: you register. Then, after logging in, you can access the rest of the mobile app.

过去，我可以在几分钟内使用PHP进行设置.但是使用Firebase，这已成为我似乎无法取胜的战斗.

In the past, I could set this up with PHP in just a few minutes. But with Firebase, this has become a battle that I can't seem to win.

使用Firebase网站上的简单文档，我终于能够成功注册和验证用户.很好.

Using the light documentation found on Firebase's site, I was finally able to successfully register and authenticate a user. Great.

不幸的是，无论他们是否登录，人们仍然可以访问应用程序的其余部分.如何保护应用程序免受未经身份验证的用户的侵害?

Unfortunately, people can still access the rest of the app whether they are logged in or not. How do I keep the app protected from non-authenticated users?

另外，我如何将页面上提交的数据与经过身份验证的用户相关联?

Also, how do I associated data submitted on a page with an authenticated user?

我看过Firebase的文档.它缺少用于身份验证的实际示例.它一直以我为例来介绍Firefeed应用程序.我查看了Firefeed的代码，身份验证系统似乎:1)登录系统过于复杂，并且2)与新闻提要的联系过于复杂，无法作为一个实际的例子来学习.

I've looked at Firebase's documentation. It lacks practical examples for authentication. It keeps referring me to the Firefeed app as a sample. I've looked at Firefeed's code and the authentication system seems 1) excessively complicated for a login system and 2) too intricately tied in to news feeds to be a practical example to learn from.

另一方面，也许我只是缺少一些明显而基本的东西.如果有人能指出我正确的方向，那就太好了.谢谢！ :-)

On the other hand, perhaps I'm just missing something obvious and fundamental. If someone could point me in the right direction, that would be great. Thanks! :-)

(顺便说一句，我尝试按照Firebase网站上的建议，通过电子邮件将这个问题发送到firebase-talk@googlegroups.com.但是根据Google的退回邮件，该群组似乎不存在)

(By the way, I tried e-mailing this question to firebase-talk@googlegroups.com, as suggested on Firebase's site... but the group does not appear to exist, according to the bounce-back message from Google.)

推荐答案

暂时退后一步，值得注意的是Firebase Simple Login是基于

Stepping back for a moment, it's worth noting that Firebase Simple Login is an abstraction built on top of Firebase Custom Login for convenience. You can still use your existing authentication with Firebase using Custom Login, if you like.

Firebase简单登录消除了您只需要运行服务器进行身份验证的麻烦.但是，与PHP示例并没有一对一的相似之处，因为您的所有逻辑，模板等都位于客户端代码中，服务器将根据在服务器上检测到的会话来管理请求访问.

Firebase Simple Login eliminates the need for you to run a server just for authentication. However, there is no 1-to-1 parallel to the PHP example where the server would govern request access based upon a detected session on the server because all of your logic, templates, etc. lives in client-side code.

在大多数情况下，您的客户端逻辑，模板，资产等将是静态且公开的.您真正想要保护的是用户和应用程序数据，这就是Firebase身份验证(无论是使用简单登录还是自定义登录)进入的地方.Firebase身份验证本质上是令牌生成-接收已确认的可识别用户数据并将其安全地传递给Firebase，以防被欺骗.

In most cases, your client-side logic, templates, assets, etc. will be static and public. What you're really looking to secure is user and application data, and this is where Firebase Authentication (whether using Simple Login or Custom Login) comes in. Firebase Authentication is essentially token generation - taking confirmed, identifiable user data and passing it securely to Firebase so that it cannot be spoofed.

对Firebase数据树中不同路径的读/写访问权限受 Firebase控制安全规则，使您可以编写类似于JavaScript的表达式来控制哪些客户端可以访问哪些数据.

Read / write access to different paths in your Firebase data tree is governed by Firebase Security Rules, which allow you to write JavaScript-like expressions to control which clients can access which data.

这是一个例子:

假设您有一个用户列表，其中每个用户都由用户ID键入， 例如/users/<user-id>/<data>，并且您要确保仅 登录的用户可以读取/写入自己的数据.通过简单的登录， 这真的很简单！

Suppose you have a user list, where each user is keyed by user id, such as /users/<user-id>/<data>, and you want to ensure that only the logged in user can read / write their own data. With Simple Login, this is really easy!

查看之后 验证 电子邮件/密码身份验证文档部分，我们看到 我们的安全规则中的auth变量将包含许多字段 验证后(包括id)用户的唯一用户ID.现在 我们可以编写安全规则:

Looking at the After Authenticating section of Email / Password authentication docs, we see that the auth variable in our security rules will contain a number of fields after authenticating, including id, the user's unique user id. Now we can write our security rules:

{
  "rules": {
    ".read": false,
    ".write": false,
    "users": {
      "$userid": {
        ".read": "auth != null && auth.uid == $userid",
        ".write": "auth != null && auth.uid == $userid"
       }
    }
  }
}

这是怎么回事? Firebase身份验证(使用简单登录) 安全地生成了包含您经过验证的用户数据的令牌 登录，令牌数据将在您的安全规则中可用 通过auth变量进行连接.现在，为了一个客户 连接以读取或写入/users/xyz，用户必须 经过身份验证并以用户xyz身份验证.

What's going on here? Firebase Authentication (using Simple Login) securely generated a token containing your verified user data upon login, and that token data becomes available in your security rules via the auth variable for the connection. Now, in order for a client connection to read or write to /users/xyz, the user must be authenticated and authenticated as user xyz.

安全性快速入门涵盖了以上大部分内容，但可以接受有点难缠头.

Most of the above is covered in the Security Quickstart but it is admittedly a little hard to wrap your head around.

回到最初的问题，如果要在用户未通过身份验证时重定向到某些路径，可以执行以下操作:

Back to your initial question, if you want to redirect away from certain paths when a user is not authenticated, you can do the following:

var ref = new Firebase(...);
var auth = new FirebaseSimpleLogin(ref, function(error, user) {
  if (!user) {
    // we're logged out, so redirect to somewhere else
  } else {
    // we're logged in! proceed as normal
  }
});

希望有帮助！

这篇关于使用电子邮件/密码进行Firebase简单身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！