允许未注册的用户查询Firestore以检查电子邮件是否已经存在 [英] Allow unregistered users to query Firestore to check if an E-Mail already exists

问题描述

现在，在我的Firestore规则中，只有注册用户具有对我的项目的读/写访问权限.但是，我还想在注册过程中验证电子邮件是否已经存在，这意味着匿名用户也可以访问我的用户"数据.

Right now, in my Firestore rules only registered users have read / write access to my project. However, I also want to verify in my registration process if an E-Mail already exists, which means also anonymous user have access to my "users" data.

从安全的角度来看，我不确定这是如何合规的.我是否应该创建类似电子邮件"的集合并在此处复制所有电子邮件地址，并允许匿名用户对此进行查询?

I am unsure how this is compliant from a security perspective. Should I create something like a "emails" collection and duplicate all E-Mail addresses here and allow anonymous users to query this?

推荐答案

是的，这确实是典型的方法.将您希望匿名访问的数据复制到一个单独的集合中，并在那里授予更广泛的访问限制.

Yup, that is indeed the typical approach. Duplicate the data that you want anonymously accessible into a separate collection, and grant broader access restrictions there.

在该电子邮件地址收集规则中，您通常使用详细规则，该规则允许阅读每个特定文档，但不允许列出所有文档.像这样:

In the rules for that collection of email addresses you will typically use granular rules that allow reading each specific document, but to disallow listing all documents. Something like:

match /emails/{email} {
  // Applies to single document read requests
  allow get: if <condition>;

  // Applies to queries and collection read requests
  allow list: if false;
}

这意味着一旦用户键入了特定的电子邮件地址，您就可以检查该电子邮件地址是否存在文档.但是他们不能仅仅从馆藏中获取所有文档来刮擦您的用户群.

This means that once the user has typed a specific email address, you can check if a document exists for that email address. But they can't just get all documents from the collection to scrape your user base.

这篇关于允许未注册的用户查询Firestore以检查电子邮件是否已经存在的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！