如何让特定的API在Firestore上运行写入/读取请求? [英] How to let specific API to run write/read requests on firestore?

问题描述

今天，我在Firestore上有以下规则:

Today I have the following rule on my firestore:

service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if request.auth.uid != null;
    }
  }
}

我无法执行来自我的API的请求，因为它没有登录(是否有任何方法只能通过CLI进行身份验证?).但是我想确保只有我的API发出这些请求.

I can't execute requests from my API since it's not sign in (is there any way to auth through CLI only?). But I want to make sure that only my API make these requests.

是否可以在请求中添加特定标头并根据Firebase规则进行验证?

Is there any way to add a specific header on my request and validate it on firebase rules?

如果这不是最好的方法，那是哪个?

If this is not the best approach, which one would be?

上下文: -仅通过Google提供程序使用身份验证.

Context: - Using auth through google provider only.

推荐答案

只有我的API发出这些请求

only my API make these requests

对于像这样的Cloud托管API，这是不可能的.由于任何客户端都必须能够进行此类调用，因此所有配置信息都必须存在于您交付给用户的客户端中.这意味着恶意用户可以获取该配置数据并进行自己的(等效或完全不同)调用.

This is not possible with a Cloud hosted API like this. Since any client must be able to make such calls, all configuration information must be present in the client that you ship to your users. And that means that a malicious user can take that configuration data and make their own (equivalent or very different) calls.

添加自定义标头(如果可能)也无济于事，因为他们可以轻松地获取该标头并在自己的请求中使用它.因此，尽管有很好的用例向请求添加其他数据，但增加的安全性不是其中之一.

Adding a custom header (if possible) would also not help, as they could just as easily get that header and use it in their own requests. So while there are good use-cases for adding additional data to the request, added security isn't one of them.

您可以(并且应该)做的是验证写入数据库的任何数据均符合应用程序的业务需求.不要依靠客户端代码来做正确的事，而要在您的安全规则中验证传入的数据是否有效.

What you can (and should) do is validate that any data written to your database conforms to the business requirements of your app. Don't rely on the client-side code doing the right thing, but validate in your security rules that the incoming data is valid.

有关更多信息，请参见:

For more information, see:

• 有关在安全规则中验证数据的文档
• 具有5条提示以保护您的应用的视频
• 这个出色的在AngularFirebase.com上验证数据的示例
• 以及有关该主题的上一个问题:如何防止未经授权访问我的Firebase数据库?.关于Firebase实时数据库，已接受答案中的逻辑适用于所有Firebase产品.

• the documentation on validating data in security rules
• the video with 5 tips to secure your app
• this excellent sample of validating data on AngularFirebase.com
• and this previous question on the topic: How do I prevent un-authorized access to my Firebase Database?. While it is about the Firebase Realtime Database, the logic in the accepted answer applies to all Firebase products.

这篇关于如何让特定的API在Firestore上运行写入/读取请求?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！