使用React,Redux和Firebase登录时检查用户的自定义声明(是管理员) [英] Checking a users custom claims (is an admin) on login with React, Redux and Firebase
问题描述
我想知道是否有人可以帮助我.
I was wondering if someone could help me.
我当前正在建立一个管理仪表盘,只能由管理员访问.我正在使用React,Redux和Firebase.
I am currently building an admin dashboard, which can only be accessed by admins. I am using React, Redux and Firebase.
我设法在云功能中针对特定用户设置了自定义声明,如下所示:
I have managed to set custom claims on specific users in a cloud function like so:
exports.addSuperAdminRole = functions.https.onCall((data, context) => {
return admin.auth().getUserByEmail(data.email).then(user => {
return admin.auth().setCustomUserClaims(user.uid, {
superAdmin: true
})
}).then(() => {
return {
message: `Success! ${data.email} has been made an admin.`
}
}).catch(err => {
return err;
});
});
我现在只想限制超级管理员访问仪表板,并且想知道什么是最好的(最安全的)方法.
I would now like restrict access to the dashboard for superAdmins only, and was wondering what was the best (most secure) way to do this.
当前,我正在执行以下客户端登录操作,在该操作中,我将检查自定义声明,并在用户不是管理员的情况下将其注销:
Currently I have the following client side login action working where I check the custom claim and just log the user back out if they are not an admin:
export const login = creds => {
return async (dispatch, getState, { getFirebase }) => {
const firebase = getFirebase();
try {
await firebase
.auth()
.signInWithEmailAndPassword(creds.email, creds.password);
const currentUser = firebase.auth().currentUser;
currentUser.getIdTokenResult().then(idTokenResult => {
console.log(currentUser);
currentUser.superAdmin = idTokenResult.claims.superAdmin;
if (!currentUser.superAdmin) {
console.log('is not admin');
firebase.logout();
}
});
} catch (error) {
console.log(error);
throw new SubmissionError({
_error: 'Login failed'
});
}
};
};
这是否足够?我是否需要在登录时运行云功能,检查声明并注销用户?如果是这样,怎么办?
Is this sufficient or do I need to run a cloud function on login, check the claims, then logout the user? If so how would do this?
您能给我的任何帮助将不胜感激!
Any help you could give me would be greatly appreciated!
干杯
詹姆斯
推荐答案
请注意,在任何情况下,最重要的是,您必须使用包含superAdmin声明的安全规则正确地保护数据库 /strong>.
Note that, in any case, what is the most important is that you correctly secured your database with security rules that incorporate the superAdmin claim.
事实上,任何知道您管理控制台的URL的人都可以轻松获取Firebase配置(即使未登录,因为此配置对象嵌入在您应用的js文件中).然后,他们可以实现自己的网页,该网页调用signInWithEmailAndPassword()方法而无需注销.
As a matter of fact, anybody who knows the URL of your admin dashboard can easily get your Firebase configuration (even if they are not logged in, as this config object is embedded in the js files of your app). Then they can implement their own web page which calls the signInWithEmailAndPassword() method without being logged out.
换句话说,您不应浪费额外的时间来保护"仪表板Web应用程序,该应用程序应被视为显示数据库数据的简单用户界面". 这是您需要保护的数据库.
In other words, you should not waste extra time "protecting" your dashboard web app, which should be considered as a simple "user interface" that displays data from your database. It is THE database that you need to protect.
结论:根据声明隐藏管理仪表盘页面(或管理菜单项和/或管理按钮)(即根据用户的角色或访问权限来修改客户端用户界面)级别"(如 doc 所述), 知道您的数据库已受到正确保护.
Conclusion: hiding the admin dashboard pages (or the admin menu items, and/or the admin buttons), based on the claims (i.e. "modifying the client UI based on the user's role or access level", as explained in the doc) is sufficient, knowing that your database is correctly protected.
这篇关于使用React,Redux和Firebase登录时检查用户的自定义声明(是管理员)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
