匿名身份验证够吗? [英] Is Anonymous Authentication Enough?
问题描述
我正在开发一个不需要登录的应用程序,因为没有任何特定于用户的数据.我最初的计划是仅使我的整个数据库为只读.但是,在进行了一些研究之后,我发现这些安全规则会使我的数据库非常脆弱.我的新计划是为每个打开我的应用程序的新用户实施匿名身份验证,然后在他们退出我的应用程序后删除该用户.该安全规则仅是在用户通过身份验证时才允许读取.这足以防止某人使用滥用查询到我的数据库吗?
I'm developing an app that doesn't require logging in because there isn't any user-specific data. My original plan was to just make my entire database be read only. However, upon doing some research, I found that those security rules would leave my database very vulnerable. My new plan is to implement anonymous authentication for each new user that opens my app and then delete that user once they exit my app. The security rule would be just to allow reading if the user is authenticated. Is this enough to prevent someone from using abusing queries to my database?
推荐答案
通常,不会.
仅使用匿名身份验证会增加访问数据库的障碍,并且可以像进行数据库完全打开一样保护它免受简单的读取查询,但是您应该将其与限制可以执行的查询的安全规则结合起来.
Solely using anonymous authentication adds a hurdle to accessing your database and will protect it from simple read queries as if your database was fully open, but you should combine that with security rules that limit the queries that can be performed.
假设我们从以下准系统规则开始:
Assuming we are starting with these barebone rules:
// Allow read access on all documents to any user signed in to the application,
// and write access to only administrators
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read: if request.auth.uid != null;
allow write: if request.auth.token.isAdmin === true;
}
}
}
要收紧规则,您应该先删除通配符条目,然后将其替换为固定的文档路径.
To tighten up your rules, you should first remove the wildcard entry and replace them with fixed document paths.
// Allow read access on all documents at /posts/{postId} to any user signed in to the application,
// and write access to only administrators
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /posts/{postId} {
allow read: if request.auth.uid != null;
allow write: if request.auth.token.isAdmin === true;
}
}
}
甚至
// Allow read access on all documents at /posts/{postId} to any user signed in to the application,
// and write access to only administrators
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /posts/{postId} {
allow read: if request.auth.uid != null;
allow write: if request.auth.token.isAdmin === true;
// allow same permissions on subcollections of /posts/{postId}
match /{document=**} {
allow read: if request.auth.uid != null;
allow write: if request.auth.token.isAdmin === true;
}
}
}
}
接下来,您应该考虑使用list "nofollow noreferrer"> 安全查询Firebase文档中的数据 .
Next you should consider adding rules that limit the size of queries performed against your database using the granular security rule list as described in Securely query data of the Firebase Documentation.
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /posts/{postid} {
// Deny any query not limited to 10 or fewer documents
allow list: if request.auth != null
&& request.query.limit <= 10;
// Anyone can retrieve an individual post
allow get: if request.auth != null;
// Only an admin can write to posts
allow write: if request.auth.token.isAdmin === true;
}
}
}
根据数据更新的频率,您还可以考虑将数据束存储在Firebase Storage上,或者甚至可以从Firebase Hosting提供数据,而CDN可以代替应用程序为它们提供数据.
Depending on how frequently the data is updated, you may also consider storing data bundles on Firebase Storage or you could even serve the data from Firebase Hosting where they can be served by a CDN instead of your application.
这篇关于匿名身份验证够吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
