Firebase 电子邮件说我的实时数据库有不安全的规则 [英] Firebase email saying my realtime database has insecure rules

问题描述

我最近收到了一封来自 firebase 的电子邮件，告诉我我的实时数据库有不安全的规则.这些是我设定的规则:

I recently received an email from firebase telling me that my realtime database has insecure rules. These are the rules that I have set:

{
  "rules": {
    ".read": "auth != null",
    ".write": "auth != null"
 }
}

这不是安全规则吗?

电子邮件/密码是我启用的唯一登录方法.

Email/Password is the only sign-in method that I have enabled.

推荐答案

firebaser here

如果电子邮件没有明确说明这些规则的不安全之处，我很抱歉.对于您提供的任何应用程序来说，保护用户数据都是至关重要的一步，因此我将尝试在下面详细解释其工作原理.

I'm sorry if the email wasn't very explicit about what isn't secure about those rules. Securing your user's data is a crucial step for any app that you make available, so I'll try to explain a bit more about how that works below.

您拥有的(默认)规则允许登录到您后端的任何人对整个数据库进行完全读/写访问.这只是一个非常基本的安全层.

The (default) rules you have allow anyone who is signed in to your back-end full read/write access to the entire database. This is only a very basic layer of security.

一方面，这比授予每个人访问您的数据库的权限更安全，至少他们必须登录.

On the one hand this is more secure than just granting everyone access to your database, at least they have to be signed in.

另一方面，如果您在 Firebase 身份验证中启用任何身份验证提供程序，则任何人都可以登录您的后端，即使不使用您的应用.根据提供者的不同，这就像在浏览器的开发人员控制台中运行一些 JavaScript 一样简单.一旦他们登录，他们就可以在您的数据库中读取和写入任何内容.这意味着他们可以使用像 firebase.database().ref().delete() 之类的简单命令删除所有数据.

On the other hand, if you enable any auth provider in Firebase Authentication, anyone can sign in to your back-end, even without using your app. Depending on the provider, this can be as easy as running a bit of JavaScript in your browser's developer console. And once they are signed in, they can read and write anything in your database. This means they can delete all data with a simple command like firebase.database().ref().delete().

为了使数据访问更加安全，您需要更严格地控​​制每个登录用户可以执行的操作.例如，假设您在 /users 下保存了一个包含每个用户信息的配置文件.您可能希望允许所有用户访问这些配置文件，但您肯定希望用户只能修改他们自己的数据.您可以使用以下规则来保护这一点:

To make the data access more secure, you'll want to more tightly control what each signed-in user can do. For example, say that you keep a profile with information about each user under /users. You might want to allow all users to access these profiles, but you definitely want users to only be allowed to modify their own data. You can secure this with these rules:

{
  "rules": {
    "users": {
      ".read": true,
      "$user_id": {
        // grants write access to the owner of this user account
        // whose uid must exactly match the key ($user_id)
        ".write": "$user_id === auth.uid"
      }
    }
  }
}

通过这些规则，每个人(甚至未经身份验证的用户)都可以阅读所有个人资料.但是每个配置文件只能由其配置文件的用户修改.有关这方面的更多信息，请参阅 有关保护用户数据的 Firebase 文档.

With these rules, everyone (even non-authenticated users) can read all profiles. But each profile can only be modified by the user whose profile it is. For more on this, see the Firebase documentation on securing user data.

除了确保对数据的所有访问都获得授权之外，您还需要确保存储的所有数据都符合您为应用制定的任何规则.例如，假设您要为用户存储两个属性:他们的姓名和年龄(仅作为示例，实际上您可能会存储他们的出生日期).因此，您可以将其存储为:

In addition to ensuring that all access to data is authorized, you'll also want to ensure that all data stored is valid to whatever rules you have for you app. For example, say that you want to store two properties for a user: their name, and their age (just for the sake of the example, in reality you'd probably store their date-of-birth instead). So you could store this as something like:

"users": {
  "uidOfPuf": {
    "name": "Frank van Puffelen",
    "age": 48
  }
}

为了确保只能写入此数据，您可以使用以下规则:

To ensure only this data can be written, you can use this rules:

{
  "rules": {
    "users": {
      ".read": true,
      "$user_id": {
        ".write": "$user_id === auth.uid",
        ".validate": "data.hasChildren('name', 'age')",
        "name": {
          ".validate": "data.isString()",
        },
        "age: {
          ".validate": "data.isNumber()",
        },
        "$other: {
          ".validate": false
        }
      }
    }
  }
}

这些规则确保每个用户配置文件都有一个分别带有字符串和数字值的 name 和 age 属性.如果有人尝试写入任何其他属性，写入将被拒绝.

These rules ensure that each user profile has a name and age property with a string and numeric value respectively. If someone tries to write any additional properties, the write is rejected.

以上是关于如何考虑保护您(用户)数据的快速入门.我建议您查看 Firebase 安全文档(和嵌入式视频)以了解更多.

Above is a quick primer on how to think about securing your (user's) data. I recommend that you check out the Firebase security documentation (and the embedded video) for more.

更新:自 2021 年 5 月起，您还可以使用 Firebase App Check 限制对来自您的网站或应用程序的呼叫的访问.这是减少数据库滥用的另一种快速方法.不过，这种方法并非万无一失，因此您需要将 App Check 的广泛保护与细粒度控制的安全规则结合起来.

Update: since May 2021 you can also use Firebase App Check to restrict access to calls just coming from your web site or app. This is another, quick way to reduce the abuse of your database. This approach is not foolproof though, so you'll want to combine App Check for broad protected, with the security rules for fine-grained control.

这篇关于Firebase 电子邮件说我的实时数据库有不安全的规则的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！