您的Cloud Firestore数据库不安全:任何用户都可以读取您的整个数据库 [英] Your Cloud Firestore database has insecure: any user can read your entire database

问题描述

使用Firestore数据库获取内容来构建应用.

Building an app, using Firestore database for its content.

规则是:

service cloud.firestore {
  match /databases/{database}/documents {
    // Allow public read access, but only content owners can write
    match /{document=**} {
      allow read: if true
      allow write: if request.auth.uid == request.resource.data.author_uid
    }
  }
}

正如警告所言，我允许将read设置为 true ，这是我理解的问题.

As the warning says, I have allow read just set to true, which I understand, is a problem.

如何使Flutter应用可以读取Firestore数据库的内容，但任何随机用户都不能读取?该应用程序是公共的/免费的...等等，所以我不希望人们必须登录.

How do I make it so my Flutter app can read the contents of my Firestore database, but any random user can't? The app is public/free...etc, so I don't want people to have to login.

我是否给我的应用某种代码并进行检查?还是...?

Do I give my app some kind of code and check against that? Or...?

更新:我看到有匿名登录名，可以解决此问题，但是那太过分了吗?真的有帮助吗?这样可以防止我的应用程序离线使用吗?...等

Update: I see that there is anonymous login, which could solve the issue, but is that overkill? Does it actually help? Will it then keep my app from being used offline? ...etc

推荐答案

无法基于它是您的应用程序还是您的代码来保护访问.这根本不是安全性与基于云的服务一起工作的方式.如果您想限制应用程序的合法用户访问，则必须登录这些用户并以某种方式使其合法化.

There is no way to secure access based on it being your app, or your code. That's simply not how security works with cloud based services. If you want to limit access to legitimate users of your app, you will have to sign those users in and somehow legitimize them.

在这里合法的手段当然取决于您.无论是他们已登录"( request.auth！= null )，还是他们已验证其电子邮件地址，以便您可以与他们联系( request.auth.token.email_verified ==true )或其他众多选项之一，这一切都是可能的.

What legitimate means here is up to you of course. Whether that is "they are signed in" (request.auth != null), or that they verified their email address so you can contact them (request.auth.token. email_verified == true), or one of the many other options, it's all possible.

另请参阅:

• 锁定Firebase数据库对特定应用程序的访问权限(其中包括更多链接)
• 如何进行Firebase存储仅适用于该应用的用户
• 将Firebase限制为不具有单个android应用的访问权限身份验证(同样具有更多链接)
• 如何防止未经授权的情况可以访问我的Firebase数据库?(可能是该主题的最旧答案)

• Locking down Firebase DB access to specific apps (which includes many more links)
• How to make firebase storage only available to users of the app
• Restrict firebase access to a single android app without authentication (again with more links)
• How do I prevent un-authorized access to my Firebase Database? (probably the oldest answer on the topic)

这篇关于您的Cloud Firestore数据库不安全:任何用户都可以读取您的整个数据库的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！