锁定 Firebase 数据库对特定应用的访问 [英] Locking down Firebase DB access to specific apps
问题描述
我认为从网上搜索这在技术上是不可能的,但我想再问一次,以防我遗漏了什么.
I think from searching the web this is not technically possible but I want to ask again in case I'm missing something.
我有一个使用 Firebase 的应用.读取和写入仅通过授权用户的安全规则锁定,但我希望未经授权的用户能够访问某些信息(因此我不必在他们面前放置登录墙,从而影响流失).
I have an app that uses Firebase. Reading and writing is locked down through security rules for authorised users only but there's certain information I want unauthorised users to be able to access (so I don't have to put a login wall in front of them, influencing churn).
我想知道的是,有没有办法锁定只有我的应用程序可以调用数据库的读取访问权限?我知道我可以锁定域以防止有人编写本地主机爬虫,但是有什么可以阻止某人克隆和重新设计应用程序并将其指向同一个后端?是否可以使用您的证书指纹来实现这一点?
What I want to know is, is there any way of locking down this read access that only my app can call the DB? I know I can lock down domains to prevent someone writing localhost scrapers but what's to stop someone cloning and re-skinning an app and pointing it to the same back end? Is it possible to achieve this using your certificates fingerprint?
推荐答案
没有办法将您的数据库的访问权限限制为只有您的应用程序.这与 Firebase API 的基于云的特性不符.原则上,任何知道您数据库 URL 的人都可以访问它,而安全规则是确保所有访问都获得授权的方式.
There is no way to limit access to your database to just your app. That just doesn't match with the cloud-based nature of the Firebase APIs. Anyone that knows the URL of your database can in in principle access it, and security rule are the way to ensure all access is authorized.
请注意,安全规则不是一种全有或全无的方法:您可以要求对数据库的某些部分进行登录,而让其他部分公开可读.但是您不能使公开可读的部分只能由您自己的应用程序读取.
Note that security rules are not an all-or-nothing approach: you can require sign-in for some parts of your database, while leaving other parts publicly readable. But you can't make the publicly readable parts only be readable by your own app.
之前关于同一主题的一些问题:
Some previous questions on the same topic:
- 如何确保只有我自己的网站(客户端代码)可以与 Firebase 后端通信?(这几乎是我的首选答案)
- 如何只允许我的应用无需登录即可访问 Firebase?
- 将 Firebase 数据库访问权限限制为一个 Android 应用
- 如何允许只有我的应用无需登录即可访问 firebase?
- how to make sure only my own website (clientside code) can talk to Firebase backend? (pretty much my go-to answer for this)
- How to allow only my app to access firebase without a login?
- Restrict Firebase database access to one Android app
- How to allow only my app to access firebase without a login?
更新:自 2021 年 5 月起,您可以通过实施Firebase 应用检查.
Update: since May 2021 you can actually restrict access to just users of your App by implementing Firebase App Check.
这篇关于锁定 Firebase 数据库对特定应用的访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
