Firebase电子邮件说我的实时数据库规则有不安全的规则 [英] Firebase email saying my Realtime Database Rules has insecure rules
问题描述
我想回想一下几年前提出的问题,因为我有相同的规则
- 除电子邮件/密码外,所有登录方法均被禁用.
- 我只有一个电子邮件/密码帐户.
- 我不允许任何人登录-没有GUI登录.
问题是:我还可以做些什么来完全保护我的Firebase数据库?谢谢!
您必须知道,(1)某人拥有Firebase项目的Web API密钥,以及(2)电子邮件/密码登录方法启用后,此人可以使用 Firebase Auth REST API 和注册您的项目(即创建一个新帐户).
如果您部署链接到Firebase项目的应用程序(Android,iOS,Web ...),则获取Web API密钥并不是很困难.
因此,仅基于"auth!= null" 的规则允许已通过REST API进行注册的任何人访问您的实时数据库.无需使用任何GUI :通过Auth REST API进行标识后,用户可以使用 RTDB REST API .
一种避免不希望的"操作的经典方法.用户访问数据,是将一个或多个自定义声明添加到所需帐户并在安全规则中使用这些声明:请参阅Firebase email saying my realtime database has insecure rules
Here is my Rules:
- All Sign-in Methods are disabled except for email/password.
- I only have one account of email/password.
- I don't allow anyone to log in - no GUI to log into.
So the question is: What else can I do to totally secure my Firebase Database? Thanks!
You have to know that as soon as (1) someone has the Web API Key of your Firebase Project and (2) the email/password sign-in method is enabled, this person can use the Firebase Auth REST API and sign-up to your project (i.e. create a new account).
Getting the Web API Key is not very difficult if you deploy an app linked to your Firebase project (Android, iOS, Web...).
Consequently, rules only based on "auth != null" allow anyone that has signed-up through the REST API accessing your Realtime Database. No need to use any GUI: after having been identified through the Auth REST API, the user can use the RTDB REST API.
One classical approach to avoid "non-desired" users to access data, is to add one or more Custom Claims to the desired accounts and use these claims in the Security Rules: See the doc for more details.
这篇关于Firebase电子邮件说我的实时数据库规则有不安全的规则的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
