将 Cloud Firestore 限制为特定域 [英] Restricting Cloud Firestore to a specific domain

查看:26
本文介绍了将 Cloud Firestore 限制为特定域的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

有没有办法限制 Cloud Firestore(用于托管/网络)进行 CRUD 操作,但仅限于一个域,例如 xyz.com?

Is there a way to restrict Cloud Firestore (for hosting/web) to do CRUD operations with restrictions to one domain only, say xyz.com?

例如,下面的规则会在未经授权的情况下锁定read、update、delete,但您仍然可以write 到数据库中.

For example, the rule below locks read, update, delete without authorisation but you can still write things to the database.

service cloud.firestore {
  match /databases/{database}/documents {
    match /coming-soon-email-ids/{document=**} {
      allow write;
      allow read, update, delete: if request.auth.uid == !null;
    }
  }
}

或者我是否必须在其中集成 Google 的防火墙?

Or do I have to integrate Google's firewall in it?

推荐答案

Firebase 安全规则无法限制对网络域的访问.从一般意义上讲,这是不可能的,因为 Firestore 旨在从世界各地的移动客户端访问,使用 Web、Android 和 iOS.Android 和 iOS 客户端似乎从未来自某个域.他们只是通过提供的客户端库或有时通过 Firestore REST API 直接访问数据库.Web 客户端甚至可能会欺骗其明显的域(只有 HTTP 请求中不安全的Referrer"标头才真正可用).

Firebase security rules aren't able to restrict access to a web domain. In a very general sense, it is not possible, because Firestore is intended to be accessed from mobile clients around the world, using web, Android, and iOS. Android and iOS clients never appear to be coming from some domain. They just directly access the database via the provided client library, or sometimes through the Firestore REST API. Web clients may even spoof their apparent domain (which is only really available by the insecure "Referrer" header in an HTTP request).

您只能真正限制使用 Firebase 身份验证登录您的应用或网站的用户的访问权限,但您不能限制他们的来源.

You can only really restrict access to users signed in to your app or site using Firebase Authentication, but you can't limit where they come from.

这篇关于将 Cloud Firestore 限制为特定域的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆