将Cloud Firestore限制为特定域 [英] Restricting Cloud Firestore to a specific domain

查看:66
本文介绍了将Cloud Firestore限制为特定域的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

是否有一种方法可以限制Cloud Firestore(用于托管/网络)仅对一个域(例如xyz.com)进行CRUD操作?

Is there a way to restrict Cloud Firestore (for hosting/web) to do CRUD operations with restrictions to one domain only, say xyz.com?

例如,下面的规则未经授权将read, update, delete锁定,但是您仍然可以将write内容锁定到数据库中.

For example, the rule below locks read, update, delete without authorisation but you can still write things to the database.

service cloud.firestore {
  match /databases/{database}/documents {
    match /coming-soon-email-ids/{document=**} {
      allow write;
      allow read, update, delete: if request.auth.uid == !null;
    }
  }
}

还是我必须在其中集成Google的防火墙?

Or do I have to integrate Google's firewall in it?

推荐答案

Firebase安全规则无法限制对Web域的访问.从广义上讲,这是不可能的,因为Firestore旨在使用Web,Android和iOS从世界各地的移动客户端进行访问. Android和iOS客户端似乎永远不会来自某个域.他们只是通过提供的客户端库或有时通过Firestore REST API直接访问数据库. Web客户端甚至可能欺骗其表观域(只有HTTP请求中不安全的"Referrer"标头才真正提供该域).

Firebase security rules aren't able to restrict access to a web domain. In a very general sense, it is not possible, because Firestore is intended to be accessed from mobile clients around the world, using web, Android, and iOS. Android and iOS clients never appear to be coming from some domain. They just directly access the database via the provided client library, or sometimes through the Firestore REST API. Web clients may even spoof their apparent domain (which is only really available by the insecure "Referrer" header in an HTTP request).

您只能真正限制使用Firebase身份验证登录到您的应用程序或网站的用户的访问权限,但不能限制他们来自何处的 .

You can only really restrict access to users signed in to your app or site using Firebase Authentication, but you can't limit where they come from.

这篇关于将Cloud Firestore限制为特定域的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆