Firebase 电子邮件说我的实时数据库规则有不安全的规则 [英] Firebase email saying my Realtime Database Rules has insecure rules
问题描述
我想在多年前提出的一个问题上提出问题,因为我有相同的规则
- 除电子邮件/密码外,所有登录方式均已禁用.
- 我只有一个电子邮件/密码帐户.
- 我不允许任何人登录 - 没有 GUI 可以登录.
所以问题是:我还能做些什么来完全保护我的 Firebase 数据库?谢谢!
您必须知道 (1) 某人拥有您的 Firebase 项目的 Web API 密钥和 (2) 电子邮件/密码登录方法启用后,此人可以使用 Firebase Auth REST API 和 注册您的项目(即创建一个新的帐户).
如果您部署与 Firebase 项目(Android、iOS、Web...)相关联的应用,则获取 Web API 密钥并不是很困难.
因此,仅基于 auth != null" 的规则允许已通过 REST API 注册的任何人访问您的实时数据库.无需使用任何GUI:通过Auth REST API 识别后,用户可以使用RTDB REST API.
一种避免非期望"的经典方法用户访问数据,是将一个或多个自定义声明添加到所需的帐户并在安全规则中使用这些声明:请参阅 doc 了解更多详情.
I want to piggy-back on a question asked years ago as I have the same rules Firebase email saying my realtime database has insecure rules
Here is my Rules:
- All Sign-in Methods are disabled except for email/password.
- I only have one account of email/password.
- I don't allow anyone to log in - no GUI to log into.
So the question is: What else can I do to totally secure my Firebase Database? Thanks!
You have to know that as soon as (1) someone has the Web API Key of your Firebase Project and (2) the email/password sign-in method is enabled, this person can use the Firebase Auth REST API and sign-up to your project (i.e. create a new account).
Getting the Web API Key is not very difficult if you deploy an app linked to your Firebase project (Android, iOS, Web...).
Consequently, rules only based on "auth != null" allow anyone that has signed-up through the REST API accessing your Realtime Database. No need to use any GUI: after having been identified through the Auth REST API, the user can use the RTDB REST API.
One classical approach to avoid "non-desired" users to access data, is to add one or more Custom Claims to the desired accounts and use these claims in the Security Rules: See the doc for more details.
这篇关于Firebase 电子邮件说我的实时数据库规则有不安全的规则的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
