如何设置 Firebase 数据库规则?如何防止被删除的用户写入 .write [英] How to set Firebase Database rules? How to prevent .write from deleted user

问题描述

简介

我正在构建一个 firebase 网络客户端应用程序.我想设置 Firebase 数据库规则.

I am building a firebase web client app. I would like set Firebase Database rules.

1. 新用户注册了 Firebase 应用.Firebase 为他提供了一个 user.UID.
2. 然后，管理员从 Firebase 管理控制台删除或禁用用户.
3. 用户刷新客户端应用.
4. (我发现)即使他的帐户已被删除/禁用，用户仍然可以写入 Firebase 数据库.

.

目标/意图

我想设置一个规则，当用户不存在或禁用时，阻止访问(.read OR .write)到firebase数据库> 在管理控制台/(身份验证/用户)中.

I would like to set a rule that prevent access (.read OR .write) to firebase database when user does not exist OR disabled in admin console/(auth/users).

类似这样的事情:

"rules":{
  "$uid":{
    ".write":"auth.isUserActive(auth.uid) == true"
  }
}

.

FIREBASE 参考文档: https://firebase.google.com/docs/reference/security/database/#auth

问题

我怎样才能实现上述意图?我应该为 firebase DB 设置什么规则?

How can I achieve the above intention? What are the rules should I set to firebase DB?

推荐答案

删除用户不会撤销该用户的现有令牌.请参阅Firebase 身份验证在用户删除时未撤销?.如果您使用的是标准身份提供商之一，则这意味着在您删除帐户后的一小时内，用户仍然可以访问数据.

Deleting a user doesn't revoke existing tokens for that user. See Firebase authentication not revoked when user deleted?. If you're using one of the standard identity providers, this means that the users may still be able to access the data for an hour after you delete the account.

没有 API 可以让您的代码检查给定的 uid 是否仍然存在.即使存在这样的 API，在这种情况下也无济于事，因为恶意用户可以绕过该检查并直接调用 API.

There is no API for you code to check whether a given uid still exists. And even if such an API existed, it wouldn't help in this case, since a malicious user could just bypass that check and call the API directly.

处理这种情况的一种简单方法是在您的数据库中保留允许用户的白名单或不允许的用户黑名单.对于黑名单，您需要保留禁止/删除用户的顶级(世界可读，管理员只能写)列表:

A simple way to deal with this scenario is to keep a whitelist of allowed or blacklist of disallowed users in your database. For a blacklist, you'd keep a top-level (world readable, admin only writeable) list of banned/deleted users:

banned
  uid12345: true

当您的管理员删除用户时，他们也会将其添加到此列表中.

When your admins delete a user, they also add them to this list.

然后在您的安全规则中，您检查并禁止被禁止的用户访问.例如:

And then in your security rules, you check and disallow access for banned users. E.g.:

"posts": {
  ".read": "auth != null && !root.child('banned').child(auth.uid).exists()"
}

这篇关于如何设置 Firebase 数据库规则?如何防止被删除的用户写入 .write的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！