如何从用户操作中保护Firebase帐户等? [英] How to secure Firebase account etc. from user actions?

问题描述

我正在使用Firebase和一些在Google App Engine上运行的Node.JS作为后端来开发一个业余项目.我是这个领域的新手，而且一个月前也听说过Firebase.

I am developing a hobby project using Firebase and some Node.JS running on Google App Engine as backend. I am a real newbie in this area, and also just hear about Firebase a month ago.

我的问题涉及到即使Firebase在客户端以JS运行，如何从用户操作中保护各种事物".

My question relates to how various "things" can be secured from user actions, even though Firebase is running as JS on client-side.

我知道可以使用适当的逻辑规则来保护数据库和存储.

I am aware that the DB and Storage can be secured using logical rules - that is in place.

我的问题是关注用户可以使用firebase.auth()和类似功能执行的操作，例如:

My question rather concerns the actions an user can perform with firebase.auth() and similar, such as:

• firebase.auth().createUserWithEmailAndPassword()
• firebase.auth().currentUser.delete()
• firebase.auth().currentUser.link()

正如我从下面的链接问题中了解到的那样，没有解决方案-用户将始终可以调用这些功能，并且由于它们无法接触其他用户帐户，因此被认为是低风险的. 防止Firebase用户删除自己"

As I have understood it from the question linked below, there is no solution - user will always be able to call these functions, and it is considered low-risk since they cannot touch other user accounts. "prevent firebase user from deleting himself"

我担心无法阻止用户执行这些操作，因为我无法对数据库执行相关更改.对于某些基本用例，我认为建立一个夜间批处理作业很容易，但是我担心将来会出现更复杂的问题.

My concern with not being able to block users from these actions is that I cannot perform the relevant changes to the DB. For some basic use cases I assume it is easy to set up a nightly batch-job to clean up, but I am afraid of future more complex issues.

我当前用于执行原子动作的解决方案，例如删除用户帐户并删除数据库中的用户数据，就是向我的后端Node.JS服务器发送请求.效果很好，但据我所知，用户可以通过此请求并请求currentUser.delete()自己.另一种情况是，当用户取消链接Google帐户时.我希望该用户注销，但是在前提下，该用户可以取消与后续操作的链接.

My current solution for making atomic actions, e.g. delete user account and delete user data in DB, is to send a request to my back-end Node.JS server. That works fine, but a user could, as I understand, by pass this and request e.g. currentUser.delete() by himself/herself. Another case is when a user unlinks a google account. I would like the user to be logged out by, but with the premises the user can unlink with the follow up action.

问题:我误解了吗?可以很容易地防止这种情况发生吗，还是可以使所有可用的操作都被认为是无害的，而这取决于我进行巧妙的清理等工作吗?如果无法避免，那么您还有比每晚批处理工作更聪明的建议吗?

Question: Have I misunderstood anything? Can this be easily prevented, or is it so that all the available actions are consider harmless and it is up to me to perform clever clean-up etc.? If it cannot be prevented, do you have any more suggestions more clever than nightly batch jobs?

推荐答案

使用Firebase的Cloud函数，例如，您可以在用户删除时触发一个函数.这样，每次删除用户时，您都可以运行代码进行清理.无论如何调用用户删除.

With Cloud functions for firebase you could for example trigger a function on user deletion. That way every time a user is deleted, you can run your code to do the clean up. No matter how the user deletion is invoked.

exports.removeUserFromDatabase = functions.auth.user().onDelete(function(event) {
    // Get the uid of the deleted user.
    var uid = event.data.uid;

    // Remove the user from your Realtime Database's /users node.
    return admin.database().ref("/users/" + uid).remove();
});

"onCreate"也是如此.查看他们的文档 https://firebase.google.com/docs/auth/extend-with-功能

The same goes for "onCreate". Check out their documentation https://firebase.google.com/docs/auth/extend-with-functions

这篇关于如何从用户操作中保护Firebase帐户等?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！