Flutter/Firebase:管理员功能具有应用内功能还是云功能? [英] Flutter/Firebase: Admin features in-app or cloud functions?
问题描述
我正在用Flutter和Firebase编写一个应用程序(到目前为止使用Firestore,Storage和Authentication).
I'm writing an app with Flutter and Firebase (using both Firestore, Storage and Authentication so far).
当前应用程序显示Firebase中的内容,但是现在我试图弄清楚如何在Firebase中实现编写/编辑/删除内容的最佳方法.
Currently the app shows content from Firebase, but now I'm trying to figure out how the best way is to implement writing/editing/removing stuff in Firebase.
目标是使用户具有管理员权限.
The goal is to have users with admin privileges.
我的问题是,如果我可以在客户端应用程序内部构建管理面板(这是理想选择),还是认为这是不正确的做法,而我应该在另一个应用程序中使用Cloud构建管理面板功能.
My question is if I can build an Admin Panel inside the client app (which would be ideal), or if that's considered bad practice and I should build an Admin Panel in another app and using Cloud Functions.
例如,当前我在Flutter/Dart代码中执行身份验证(注册/注册),并在注册时在Firestore isAdmin = false中创建一个字段,然后可以在Firestore中手动将其设置为true(如果需要)安慰.这样做可能会是一种不安全"的方式吗?
For example, currently I perform Authentication (signup/register) in the Flutter/Dart code and when registering it creates a field in Firestore isAdmin = false, which I then can manually set to true (if I want) in the Firestore console. Could this somehow be an "unsafe" way of doing this?
推荐答案
目标是让用户具有管理员权限
The goal is to have users with admin privileges
由于您使用的是身份验证服务,因此您已经拥有解决方案的一半:通过身份验证,您可以识别正在使用应用程序的每个用户.
Since you are using the Authentication service you already have half of the solution: with authentication you can identify each user who is using your app.
另一部分是授权:通常使用Firebase中的安全规则(适用于Firestore和Cloud Storage)完成此操作.
The other part is Authorization: this is normally done with Security Rules in Firebase, both for Firestore and Cloud Storage.
要能够对具有管理员权限的某些用户(通过身份验证进行标识)进行授权,您需要以授权的方式知道哪些用户具有管理员角色执行管理功能.
To be able to authorize certain users (identified through authentication) with Admin privileges, you need to know which users have the admin role in such a way you authorized them to execute the admin functions.
一种识别管理员用户的可能方法是,如您在问题中提到的,在Firestore的某些用户文档中使用isAdmin标志. 文档.
One possible way to identify the admin users is to have an isAdmin flag in some user documents in Firestore, as you mention in your question. There is an example of Firestore Security Rule using this approach in the documentation.
如何,如果您想将此标志(存储在Firestore中)与Cloud Storage安全规则结合使用,将会遇到一些问题.在撰写本文时,无法在云存储安全规则"中读取Firestore文档的值.
HOWEVER, you will encounter some problem if you want to use this flag (stored in Firestore) with Security Rules for Cloud Storage. At the time of writing, it is not possible to read the value of a Firestore document in Security Rules for Cloud Storage.
解决方案是使用自定义声明.您将在文档中找到有关如何以满足您的需求的方式实施它的所有详细信息.
The solution is to use Custom Claims. You will find all the details in the doc on how to implement it in such a way it fulfill your needs.
我可以在客户端应用程序内部构建管理面板吗?
Can I build an Admin Panel inside the client app?
是的,您可以很好地做到这一点.一旦正确实现了安全性(通过如上所述的身份验证和安全性规则"),便不会阻止您开发管理"面板.如果不是管理员的用户可以访问管理"面板,则他/她将无法执行管理操作(即,写入/编辑/删除Firestore或Cloud Storage数据).
Yes, you can very well do that. As soon as your security is correctly implemented (through Authentication and Security Rules, as explained above), there is nothing that prevents you to develop an Admin panel. If a user that is not admin can access the Admin panel, he/she will not be able to perform the admin actions (i.e. writing/editing/removing Firestore or Cloud Storage data).
此外,使用自定义声明",您可以在前端访问它们,以根据用户的角色或访问级别(即仅向管理员用户显示管理"模块的页面,按钮和菜单项)来修改客户端用户界面-但是请注意,这不会阻止某人对您的应用程序进行反向工程并执行专用于管理员用户的查询:这就是为什么正确实施身份验证和安全规则部分的关键-).请参阅自定义声明"文档中的部分.
Moreover, with Custom Claims, you can access them in the front-end to modify the client UI based on the user's role or access level (i.e. showing the pages, buttons and menu items of the Admin module only to admin users -note however that this does not prevent someone to reverse engineer your app and execute the queries dedicated to admin users: this is why it is key to correctly implement the Authentication and Security Rules parts-). See this section in the Custom Claims doc.
我应该在另一个应用程序中并使用Cloud来构建管理面板吗? 功能吗?
Should I build an Admin Panel in another app and using Cloud Functions?
如果您不希望使用某种逻辑来隐藏/显示管理面板元素(基于自定义声明,请参见上文),从而使应用程序过于复杂,则可以很好地在另一个应用程序中构建管理面板.
If you don't want to over-complexify your app with some logic to hide/show the Admin panel elements (based on Custom Claims, see above) you can very well build the Admin Panel in another app.
如果您有无法通过标准安全规则实现的特定需求/访问限制,则可以很好地使用一些Cloud Functions来检查用户是管理员并执行写入/编辑/删除管理员操作(但是请注意,从Cloud Function与Firestore进行交互非常容易,而与Storage进行比较棘手:使用Cloud Storage Client SDK比通过Cloud Functions与Cloud Storage进行交互要容易得多.
If you have specific needs/access restrictions that cannot be implemented through standard Security Rules you could very well use some Cloud Functions to check the user is an admin and to execute the writing/editing/removing admin actions (note however that while it is quite easy to interact with Firestore from a Cloud Function, it can be a bit more tricky with Storage: using the Cloud Storage Client SDKs is much easier than interacting with Cloud Storage through Cloud Functions).
您最好使用可调用云函数,因为带有可调用项,Firebase身份验证和FCM令牌(如果可用)会自动包含在请求中". (请参阅 https://firebase.google.com/docs/functions/callable ).
You would preferably use Callable Cloud Functions, since "with callables, Firebase Authentication and FCM tokens, when available, are automatically included in requests". (See https://firebase.google.com/docs/functions/callable).
Side Note: You may be interested by this article, which details how to to create an Admin module for managing users access and roles. (Disclaimer: I'm the author).
这篇关于Flutter/Firebase:管理员功能具有应用内功能还是云功能?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
