Firebase身份验证和实时应用程序数据库如何保护自身? [英] How does the firebase authentication and realtime application database secure itself?

问题描述

从如何确保对在线资源的访问的一般开发角度来看，我对此感到很好奇.我们使用以下Firebase配置参数初始化webapp:

I'm curious about this from a general development perspective of how to secure access to online resources. We initialize our webapp with the following firebase configuration parameters:

• apikey
• authdomain
• projectid
• 数据库URL
• messagesenderid

服务器如何使用它们来确保请求有效?主要是为什么其他人不能只从应用程序中提取这些参数，然后创建另一个对"Evil"使用相同参数的"Evil"应用程序.

How does the server use these to ensure that the requests are valid? Mainly why can't someone else just fish these parameters out of the application and then create another "Evil" application that uses the same parameters for "Evil".

邪恶"将包括创建一个具有与真实应用程序相同的凭据的其他应用程序，使用纯电子邮件/密码注册表单使用真实应用程序中包含的相同凭据对用户进行注册，然后将用户签约做更多的邪恶".

"Evil" would include creating a different app with the same credentials fished up of the real app, signing up users against the same credentials contained in the real app using the plain email / password signup form, and then once the users are signed in doing even more "Evil".

同样简单的节点表示js应用程序，我们想使用上述参数保护对它的访问，从应用程序请求生命周期的角度来看，这将如何工作?

Also simple node express js application and we wanted to secure access to it using the above parameters how would that work from an application request lifecycle perspective?

1)Express收到请求

1) Express receives request

2)Express检查...

2) Express checks that ...

这与openid-connect的工作原理有关吗?换句话说，它是完全遵循openid-connect规范还是仅针对Firebase构建的基于自定义的安全解决方案?

Lastly is any of this part of how openid-connect works? In other words is it following the openid-connect spec at all or is a custom based security solution built specifically for firebase?

推荐答案

这些配置参数仅能识别各种服务器上的Firebase项目.它们绝不是要作为身份验证/授权机制.

These configuration parameters do nothing more than identify your Firebase project on the various servers. They are not in any way meant as an authentication/authorization mechanism.

在这里查看我的答案:

• 我对并如何限制Firebase数据修改?

  和加藤(Kato)对>如何防止其他访问的出色回答到我的火力发源地

  and Kato's excellent answer to How to prevent other access to my firebase

  您会注意到，其中大多数指向用于对用户进行身份验证的Firebase身份验证，然后指向用于授权用户访问的服务器端安全规则.有了这两个选项之后，什么代码执行访问就不再重要了.如果用户通过同一个后端进行了身份验证，并且数据访问符合您的服务器端安全规则，则意味着它遵循您设置的规则，而不管它是谁的代码.

  You'll note that most of these point to Firebase Authentication for authenticating users, and then server-side security rules for authorizing their access. With both of these in place, it doesn't really matter anymore what code performs the access. If the user is authenticated against the same back-end, and the data access adheres to your server-side security rules, it means it follows the rules you set, no matter whose code it is.

  这篇关于Firebase身份验证和实时应用程序数据库如何保护自身?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！