Firestore Emulator REST API身份验证 [英] Firestore Emulator REST API authentication
问题描述
我正在寻找有关Firestore Emulator REST API处理未经身份验证的请求的方式的预期行为的确认,因为我认为我可能已经发现了一些可能的不一致之处.
I'm looking for some confirmation of expected behaviour for the way the Firestore Emulator REST API handles unauthenticated requests as I think I may have found some possible inconsistencies.
我一直在使用Postman为个人项目使用Firestore Emulator REST API.如果我运行模拟器( firebase emulators:start --only = firestore ),则能够没有成功地发出以下请求,而该请求需要传递任何 Bearer令牌,位于 Authorization 标头中,并带有以下请求:
I've been playing around with the Firestore Emulator REST API using Postman for a personal project. If I run the Emulator (firebase emulators:start --only=firestore), I'm able to make the following requests successfully WITHOUT needing to pass any Bearer token in the Authorization header with the request:
-
获取http://localhost:8080/v1/projects/< MY_PROJECT_ID>/数据库/(默认)/文档/(返回所有文档) -
删除http://localhost:8080/v1/projects/< MY_PROJECT_ID>/数据库/(默认)/documents/< COLLECTION_ID>/< DOCUMENT_ID>(删除单个文档)) -
POST http://localhost:8080/v1/projects/< MY_PROJECT_ID>/数据库/(默认)/documents/< COLLECTION_ID>(在集合中创建新文档) -
PATCH http://localhost:8080/v1/projects/< MY_PROJECT_ID>/数据库/(默认)/documents/< COLLECTION_ID>/< DOCUMENT_ID>(更新文档)
GET http://localhost:8080/v1/projects/<MY_PROJECT_ID>/databases/(default)/documents/(Returns all documents)DELETE http://localhost:8080/v1/projects/<MY_PROJECT_ID>/databases/(default)/documents/<COLLECTION_ID>/<DOCUMENT_ID>(Deletes an individual document)POST http://localhost:8080/v1/projects/<MY_PROJECT_ID>/databases/(default)/documents/<COLLECTION_ID>(Creates a new document in a collection)PATCH http://localhost:8080/v1/projects/<MY_PROJECT_ID>/databases/(default)/documents/<COLLECTION_ID>/<DOCUMENT_ID>(Updates a document)
但是,当我尝试获取如在此使用以下请求,出现以下错误:
However, when I try and get a list of collection IDs as described here using the following request, I get the following error:
-
POST http://localhost:8080/v1/projects/< MY_PROJECT_ID>/数据库/(默认)/documents:listCollectionIds
响应为:
{
"error": {
"code": 403,
"message": "Metadata operations require admin authentication.",
"status": "PERMISSION_DENIED"
}
}
如果我传递 Bearer 令牌,则此请求将成功运行.我使用 gcloud auth application-default print-access-token 生成了令牌(如
If I pass a Bearer token, this request will then run successfully. I generated the token using gcloud auth application-default print-access-token (as described here).
请注意,我已将Firestore规则设置为允许对所有文档进行所有读写,从而使事情变得更简单:
Please note, I've set my Firestore Rules to allow all reads and writes for all documents to make things simpler for now:
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if true
}
}
}
文档提供了身份验证的详细信息,但是上下文他们描述这是针对 https://firestore.googleapis.com/v1/的请求,而不是使用仿真器时的请求.
The docs give details for authentication, however, the context they describe this in is for making requests against https://firestore.googleapis.com/v1/ rather than when using the Emulator.
我希望对Emulator API的所有请求都不需要任何身份验证,但是似乎有些需要,有些则不需要,而且我无法在文档中找到有关Emulator应该如何工作的任何其他详细信息.
I'd expect all requests to the Emulator API to not require any authentication, but it seems that some do and some do not and I haven't been able to find any other details in the documentation around how the Emulator should work.
目前,我不确定这是否是错误,是否应该在GitHub上提交问题,或者是否是预期的行为,我应该在每个请求中都传递 Bearer 令牌为了安全.
At the moment, I'm not sure if this is a bug and I should file an issue on GitHub, or whether it is expected behaviour and I should just pass a Bearer token with every request to be safe.
任何帮助将不胜感激.谢谢.
Any help would be appreciated. Thanks.
推荐答案
这与真实API的行为匹配.当您发送不带身份验证令牌的请求时,您正在尝试通过安全规则系统进行身份验证.某些方法不支持通过安全规则进行身份验证,因为您可能不希望最终用户调用它们.这些主要是数据库管理方法,因此是错误描述.例如,您不希望最终用户调用任何索引方法.
This matches the behavior of the real API. When you send a request without an auth token, you're attempting to authenticate through the security rules system. Certain methods do not support authentication through security rules, because you would probably not want end-users calling them. These are mostly database administration methods, hence the error description. For example, you would not want end-users calling any indexing methods.
listCollectionIds 是这些管理方法之一.这也是为什么此功能被Web不支持的不支持的原因,和Android SDK .
listCollectionIds is one of these administrative methods. This is also why this feature is not supported by the web, iOS, and Android SDKs.
这篇关于Firestore Emulator REST API身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
