如何将对 Firestore 数据库的访问限制为仅来自特定域的请求? [英] how can i restrict access to firestore database to only requests coming from specific domain?
问题描述
这里有一个安全规则可以限制特定用户的访问:限制对特定用户的访问
there is a security rule that can restrict access to only specific users here: restrict access to specific users
弗兰克的回答真的很有帮助而且很直接,但是如果我不使用 Firestore 身份验证怎么办?!
Frank's answer there was really helpful and straight forward, but what if i am not using firestore authentication ?!
我想要实现的只是授予对仅来自我的域的请求的访问权限......只是域,无需身份验证......所以没有人可以使用邮递员例如将 GET 或 POST 请求发送到我的 firestore 数据库.
all i want to achieve is to grant access to requests coming only from my domain...just the domain, without authentication...so no one can use postman for example to send GET or POST requests to my firestore database.
有没有办法可以这样说:
is there a way i can say something like this:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if request.origin.matches(/<https://myCompany.com>/);
}
}
}
任何帮助将不胜感激.
推荐答案
没有办法限制来自特定域的请求,而且这实际上也很容易被欺骗.像 Firebase App Check 之类的东西会有所帮助,但 Firestore 尚不可用(尚未).
There is no way to restrict to requests coming from a specific domain, and that would actually also be really easy to spoof. Something like Firebase App Check would help there, but that's not yet available for Firestore (yet).
限制谁可以访问数据库的常用方法是:
The common way to limit who can access the database is to:
- 要求用户登录 Firebase 身份验证
- 要求他们验证电子邮件地址.
- 在安全规则中验证
request.auth.token.email的电子邮件地址.
- Require the user to sign in to Firebase Authentication
- Require that they verify their email address.
- Validate the email address of
request.auth.token.emailin the security rules.
另见:
- 将 Cloud Firestore 限制为特定域(我可能如果我以前看过的话,我会将您的问题标记为重复)
- 限制 Firestore 登录到特定域
- Restricting Cloud Firestore to a specific domain (which I probably would've marked your question as a duplicate of, if I'd seen it before)
- Restrict Firestore sign in to specific domain
这篇关于如何将对 Firestore 数据库的访问限制为仅来自特定域的请求?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
