Flutter Firebase使用数据库读取发送令牌 [英] Flutter firebase send Token with database read
问题描述
当我尝试在Firebase中读取文档时,我希望能够检查请求是否合法. 因此,firebase中存储了一个令牌.如果令牌与客户端匹配,我只想允许访问. 因此,我的安全规则应检查客户端的令牌是否与文档中的令牌匹配. 我无法使用auth进行此操作,因为我的应用程序没有登录名,并且仅依靠文档ID和令牌来访问数据.
When I try to read a document in my firebase, I want to be able to check, if the request is legit. For this reason, there is a token that is stored in the firebase. I only want to allow the access, if the token matches with the clients. So my security rules should check, if the token from the client is matching the one in the document. I can not do this with auth, as my App does not have a login and relies purely on the document id and token to access the data.
所以我的问题是,如何在我的flutter读取请求中发送参数? 如果请求中的令牌与文档中的令牌匹配,我该如何比较. 我认为这大概是这样的:
So my question is, how can I send a parameter with my flutter read request ? And how can I compare, if the token that is in the request matches the one in the document. I figured this would be roughly the way:
match /databases/{database}/documents {
match /test/{document} {
allow write, read: if request.resource.data.token== document.data.token;
}
}
推荐答案
所以我的问题是,如何在我的flutter读取请求中发送参数?
So my question is, how can I send a parameter with my flutter read request?
您不能将自己的参数传递给安全规则.安全规则(用于读取请求)中唯一可用的信息是:
You can't pass your own parameters to the security rules. The only information available in the security rules (for a read request) is:
- the token of the user that made the request.
- the path of the data that the user is trying to read.
- any query parameters they pass along.
因此,如果要执行这种类型的检查,则必须使用这三件事之一对令牌进行编码.最简单的方法是将令牌用作文档ID.然后将您的规则更改为:
So if you want to do this type of check, you'll have to encode the token in one of those three things. The simplest one is to use the token as the document ID. And then change your rules to:
match /databases/{database}/documents {
match /test/{document} {
allow get: if true;
}
}
用户现在仍然可以get文档,但是不能再使用list文档(read与get + list相同).归结为:如果您知道文档的ID,就可以阅读它.这是保护文档访问安全的一种非常普遍的方法,被称为共享秘密的一种形式.
The user can now still get a document, but can no longer list documents (read is he same as get + list). That boils down to: if you know the ID of a document, you can read it. This is a quite common way to secure document access, and is known as a form of a shared secrete.
这篇关于Flutter Firebase使用数据库读取发送令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
