允许未注册的用户查询Firestore以检查电子邮件是否已经存在 [英] Allow unregistered users to query Firestore to check if an E-Mail already exists
问题描述
现在,在我的Firestore规则中,只有注册用户具有对我的项目的读/写访问权限.但是,我还想在注册过程中验证电子邮件是否已经存在,这意味着匿名用户也可以访问我的用户"数据.
Right now, in my Firestore rules only registered users have read / write access to my project. However, I also want to verify in my registration process if an E-Mail already exists, which means also anonymous user have access to my "users" data.
从安全的角度来看,我不确定这是如何合规的.我是否应该创建类似电子邮件"的集合并在此处复制所有电子邮件地址,并允许匿名用户对此进行查询?
I am unsure how this is compliant from a security perspective. Should I create something like a "emails" collection and duplicate all E-Mail addresses here and allow anonymous users to query this?
推荐答案
是的,这确实是典型的方法.将您希望匿名访问的数据复制到一个单独的集合中,并在那里授予更广泛的访问限制.
Yup, that is indeed the typical approach. Duplicate the data that you want anonymously accessible into a separate collection, and grant broader access restrictions there.
在该电子邮件地址收集规则中,您通常使用详细规则,该规则允许阅读每个特定文档,但不允许列出所有文档.像这样:
In the rules for that collection of email addresses you will typically use granular rules that allow reading each specific document, but to disallow listing all documents. Something like:
match /emails/{email} {
// Applies to single document read requests
allow get: if <condition>;
// Applies to queries and collection read requests
allow list: if false;
}
这意味着一旦用户键入了特定的电子邮件地址,您就可以检查该电子邮件地址是否存在文档.但是他们不能仅仅从馆藏中获取所有文档来刮擦您的用户群.
This means that once the user has typed a specific email address, you can check if a document exists for that email address. But they can't just get all documents from the collection to scrape your user base.
这篇关于允许未注册的用户查询Firestore以检查电子邮件是否已经存在的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!