通过云功能实施Firebase数据库安全规则 [英] enforcing firebase database security rules from cloud functions

问题描述

在Firebase云功能中，我经常从Firebase数据库读取写入数据或向Firebase数据库读取写入数据.考虑到根据文档，该函数以管理员权限运行.结果，我在数据库中的所有安全规则都被绕过了.考虑到我的某些功能本质上是API调用(HTTP触发器等)，因此我想强制执行数据库规则.

In my firebase cloud functions I'm often reading a writing data from and to the firebase database. Considering that according to the documentation, functions run with admin privileges. As a result, all my security rules in the DB are bypassed. Considering that some of my functions are essentially API calls (HTTP triggers, etc), I'd like to enforce the DB rules.

是否可以通过Firebase云功能使用非管理帐户?

当前代码:

const functions     = require('firebase-functions');
const admin         = require('firebase-admin');

admin.initializeApp(functions.config().firebase);

const ref = admin.database().ref();

我尝试使用标准" firebase NPM模块，但无法正常工作，部署失败并出现一些内部错误-我猜它不是为此类用途而设计的(

I've tried to use the 'standard' firebase NPM module, but that won't work, deployment fails with some internal error - I guess it was not designed for such use (documentation seems to confirm this).

推荐答案

如果您的客户端应用不需要允许客户端直接写入数据库，则建议您将所有授权用户的数据库安全规则设置为只读，然后在函数本身的逻辑内验证通过HTTPS函数写入的所有数据.在表示有效内容时，您将具有更大的灵活性，并且如果客户端发送无效数据，您将能够生成更多有用的错误消息. (安全规则不会向您提供强烈的指示，表明写操作到底有什么问题，而只是失败了.)

If your client app doesn't need to allow clients to write the database directly, I suggest you set the database security rules to read-only for all authorized users, then verify all data written via HTTPS function within the logic of the function itself. You'll have a lot more flexibility in expressing what's valid, and in the event a client sends invalid data, you'll be able to generate more useful error messages. (Security rules don't give you a strong indication what exactly is wrong with the write, only that it failed.)

这篇关于通过云功能实施Firebase数据库安全规则的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！