电子邮件:[Firebase] 对 Cloud Firestore 数据库的客户端访问权限将在 X 天后到期 [英] Email: [Firebase] Client access to your Cloud Firestore database expiring in X day(s)
问题描述
我收到一封电子邮件,表明我正在测试模式"下进行开发,但它使我的数据库完全对互联网开放.我最初接受的默认规则如下所示:
I got an email that indicates I was developing in "test mode", but that it left my database completely open to the internet. The default rules I initially accepted look like this:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
// This rule allows anyone on the internet to view, edit, and delete
// all data in your Firestore database. It is useful for getting
// started, but it is configured to expire after 30 days because it
// leaves your app open to attackers. At that time, all client
// requests to your Firestore database will be denied.
//
// Make sure to write security rules for your app before that time, or else
// your app will lose access to your Firestore database
match /{document=**} {
allow read, write: if request.time < timestamp.date(2019, 12, 14);
}
}
}
需要做什么才能满足这封邮件的要求?
What needs to be done to satisfy the request of this email?
推荐答案
此处显示的安全规则与以前更为宽松的默认规则不同.这条规则的想法:
The security rules shown here are a departure from the previous default rules that were much more permissive. The idea with this rule:
match /{document=**} {
allow read, write: if request.time < timestamp.date(2019, 12, 14);
}
您是否可以在指定日期之前不受限制地访问您的 Firestore 数据库,以便在一个月内免费试用它.然而,从长远来看,允许不受限制的访问显然是一个巨大的安全漏洞.
Is that you get unrestricted access to your Firestore database up until the given date, in order to freely experiment with it for a month. However, allowing unrestricted access is obviously a massive security hole in the long run.
推荐的做法是首先完全删除此规则,因为它允许任何人在您的数据库中读取和写入任何内容.然后,设计一些适当的规则,只允许访问最终用户应该能够访问的集合和文档.Stack Overflow 上对此的完整讨论是题外话(因为我们不知道您的应用的要求),但这里有一些不错的地方可以开始了解安全规则:
The recommended course of action is to first remove this rule entirely as it allows anyone to read and write anything in your database. Then, devise some proper rules that allow only access to collections and documents that your eventual users should be able to access. A full discussion of that is off-topic for Stack Overflow (as we don't know your app's requirements), but here are some good places to start learning about security rules:
您应该做的是为数据库中的每个集合和子集合调用访问约束.理想情况下,您应该锁定对所有集合的未经身份验证的写访问,除非绝对需要.在最好的情况下,您使用 Firebase 身份验证来帮助控制对文档的访问 仅适用于经过身份验证的用户.
What you should be doing is calling out the access constraints for each collection and subcollection in your database. Ideally, you should lock down unauthenticated write access to all collections, except where absolutely required. In the best case, you're using Firebase Authentication to help control access to documents only as required for authenticated users.
或者,如果您使用完数据库(暂时),您可以完全使用以下规则完全阻止从 Web 和移动客户端访问数据库:
Alternatively, if you're done working with the database (for the time being), you can block access to the database from web and mobile client entirely by using the following rule exclusively:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
allow read, write: if false;
}
}
根据此规则,仍将允许使用 Firebase Admin SDK 或其他 Cloud SDK 从后端代码进行访问.
With this rule, access from backend code using the Firebase Admin SDK or other Cloud SDKs will still be allowed.
这篇关于电子邮件:[Firebase] 对 Cloud Firestore 数据库的客户端访问权限将在 X 天后到期的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
