为读取Firebase Firestore的数据添加限制 [英] Add a limit for data reads firebase firestore

问题描述

我们有一个使用Firestore的iOS应用.该应用程序仅读取数据(不写入)，我们没有用户帐户，并且数据库上的任何内容均不受保护.因此，我们使用了这些幼稚的安全规则

We have an iOS app that uses Firestore. The app only reads data (no writes), we have no user accounts and nothing on the database must be protected. For that reason we ran with these naive security rules

service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
       allow read;
    }
  }
}

但是，Firebase警告我们(肯定有充分的理由)，这使我们处于危险之中，原因有两个:

However, Firebase has warned us (sure, for good reasons) that this puts us at risk for two reasons:

1. 任何用户都可以从数据库中读取任何内容，因此没有什么是安全的.

我不认为这是一个问题，因为我们没有什么可以保密的.至少到目前为止，这肯定会改变.

I don't see this as a problem because we have nothing that must be kept secret. At least for now, sure, that might change.

1. 允许无限次读取

这是问题所在.我想一个恶意用户可以读取我们的数据库数百万次，从而关闭我们或仅仅迫使我们支付大笔账单(我们使用Blaze计划，即付即用).

This is were the problem lies. I suppose a malicious user could read our database millions of times and thereby shut us down or simply force us to pay a large bill (we use the Blaze plan, pay as you go).

我们如何保护我们免受此侵害?我在这里看到了类似的问题，但是它们没有提供任何有用的建议，

How can we protect us from this? I've seen similar questions here but they don't provide any helpful suggestions, How to limit rate of data reads from Firebase?

我的想法是，我们可以在应用程序中使用匿名用户帐户，然后在我们的安全规则中，仅当用户登录"(因此使用该应用程序的任何人)时才允许读取.我与Firebase和安全问题专家相距甚远，但是这是否会使某人数百万次读取我们的数据库而变得更加困难或不可能，因为它必须通过该应用程序完成?

My idea is that we could use anonymous user accounts in the app and then in our security rules only allow read if user is "logged in" (thereby anyone using the app). I'm far from an expert on Firebase and security issues, but wouldn't this at least make it harder or impossible, for someone to read our database millions of times because it must be done through the app?

还有其他建议可以解决这个问题吗?

Any other suggestions how we may approach this?

推荐答案

在您允许对文档的读取访问之后，实际上没有一种方法可以限制特定客户端应用的读取速率.有了完全公开的阅读规则，Internet上的每个人都可以重复阅读文档以产生费用.不过，发生这种情况的机会确实很小，您应该向 Firebase报告似乎是滥用行为的情况支持.

There's not really a way to throttle the read rate for a particular client app once you allow read access to a document. With fully public read rules, everyone on the internet could read documents repeatedly to run up a bill. The chances of that happening are really slim though, and you should report what appears to be abusive behavior to Firebase support.

您可以通过调出您希望客户端能够阅读的单个顶级集合来摆脱警告消息.由于Firebase不知道您可能要允许或禁止访问哪些集合，因此应该明确.例如，每个集合都类似这样:

You can get rid of the warning message by calling out the individual top-level collection you would like the clients to be able to read. Since Firebase doesn't know which collections you might want to allow or disallow access to, you should be explicit. For example, something like this for each collection:

    match /collection1/{document=**} {
       allow read;
    }
    match /collection2/{document=**} {
       allow read;
    }

如果这样做，请确保删除您现在拥有的允许访问所有文档的规则.

If you do this, be sure to remove the rule you have now that allows access to all documents.

这篇关于为读取Firebase Firestore的数据添加限制的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！