Firebase Firestore是否有措施阻止恶意请求? [英] Does Firebase Firestore have measures to stop malicious requests?
问题描述
由于Firebase Firestore是按操作(读取,写入,删除)定价的,所以我最大的担心是有人可能会接触到有效的端点来读取,写入或删除文档,并且仅执行此操作多次超出其预期使用范围.
Since Firebase Firestore is priced per operation (read, write, delete), my biggest concern is someone may get their hands on a valid endpoint, to either read, write, or delete a document, and just perform this operation numerous times outside the expected scope of its use.
是否有任何措施可以防止恶意请求?就像每分钟发生10,000次操作一样,用户是否会遇到某种锁定情况,或者这些请求是否被视为合法?
Are there any measures that prevent malicious requests? Like if an operation occurred 10,000 times per minute, does the user then experience some kind of lock-out or would these requests be considered legal?
我了解有数据库安全规则,但是它们似乎不足.当然,我可以检查用户是否已通过身份验证等,但是如何阻止恶意用户通过身份验证,弄清楚有效和允许的端点在哪里读取,写入或删除文档,并创建脚本来执行此操作重复吗?
I understand there are database security rules, but they seem insufficient. Sure, I can check if a user is authenticated, etc, but what is to stop a malicious user from getting authenticated, figuring out where the valid and permitted endpoints to read, write, or delete documents, and just creating a script to do that on repeat?
我也了解我可以设置每日支出限额.但这只会限制我所花费的资金,而不是可能会耗尽这些限制并导致数据库停止工作的恶意用户.
I also understand that I can set daily spending limits. But that would just limit the amount of money I was spending, not a malicious user who could potentially use up those limits and cause the database to stop working.
我的问题不仅仅与计费有关.它与恶意用户有关,他们可以访问以读取/写入文档并通过编写脚本来滥用目的而滥用此权利,该脚本编写的脚本会增加操作次数.Firebase是否有采取任何措施来阻止这种情况发生?
My question is not concerned solely with billing. It is concerned with malicious users who MAY HAVE access to read/write a document AND abuse this right by writing a script that drives up the number of operations with the intent of abuse. Does Firebase have any measures to stop this or not?
如果响应为存在安全规则",请告诉我如何编写这些安全规则,以防止每分钟来自同一用户或类似用户的请求超过100个.
And if the response is "There exists security rules" then please tell me how these security rules can be written to not allow more than 100 requests per minute from the same user or something along those lines.
推荐答案
首先,我觉得有必要澄清一下我喜欢Firebase.但是...这可能是它最令人讨厌的方面之一.我认为这应该以每个用户可配置的阈值的形式立即解决.
First, I feel the need to clarify that I love Firebase. But... this is probably one of the most annoying aspects of it. I feel this should come solved out of the box in the form of a configurable threshold per user.
话虽如此.恕我直言,您只有2个可行的选择:
With that said. IMHO you have only 2 viable options:
这是一个简单的答案,它击败了Firestore的主要优势.所以我不会在这里深入研究.只是知道创建一个云功能端点并根据您的后端逻辑验证或阻止请求将是一个有效的选择.
This is the easy answer and it defeats the main advantages of Firestore. So I wont dig deep here. Just know that it would be a valid option to create a cloud function endpoint and validate or block requests based on your backend logic.
(我能发现的)解决恶意用户行为的唯一方法是对用户的操作进行计数.
The only way (that I could discover) to solve malicious user behavior is to keep a counter of operations by user.
- 首先,您需要设置一个云功能,以侦听要保护的集合上的写入操作.
- 然后为用户创建一个私人文档,计算对该集合执行的写操作.
- 例如,写一条规则将阻止用户在过去一个小时内进行大量写操作.
这显然会导致云功能的额外成本,用于保留计数器的额外写入以及用于在安全规则验证中获取带有计数器的私有文档的额外读取.
This will obviously incur in extra costs for the cloud function, the extra writes to keep the counters and the extra reads used to get the private document with the counter in the security rules validation.
这篇关于Firebase Firestore是否有措施阻止恶意请求?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
