“将此文件复制到您的身份验证服务器"- Firebase 自定义身份验证 [英] "Copy this file to your authentication server" - Firebase Custom auth
问题描述
我的目标是防止用户多次登录.我不希望这是客户端,例如 onDisconnect 和 onConnect 值,而是通过服务器检查.我遇到了这个答案:
My goal is to prevent users of multiple login in. I do not want this to be client-side, with like the onDisconnect and onConnect values, but with a server check. I came across this answer:
这告诉我创建一个自定义身份验证系统.当我关注文档时(https://firebase.google.com/docs/auth/ios/custom-auth)我需要将此文件复制到您的身份验证服务器"(3c).我该怎么做?我只是在使用 Firebase 和我的小 iOS 应用程序.我想管理这两件事上的一切,中间没有服务器,这可能吗?还是只能通过其他服务器上传此文件?
Which tells me to create a custom auth system. When I am following the docs (https://firebase.google.com/docs/auth/ios/custom-auth) I need to "Copy this file to your authentication server" (3c). How would I do this? I am just using Firebase and my little iOS app. I would like to manage everything on these 2 things, no server in between, is this possible? Or can this file only be uploaded through another server?
如果以上事情都不可能,我如何服务器检查用户是否真的登录?我正在使用 Cloud Functions,但我没有遇到用户登录的触发器.请不要使用 onDisconnect/onConnect 回答,我想要它在服务器端.如果用户已经登录,他可能无法登录.谢谢:)
If above things are not possible, how can I server check if the user really signed in? I am using Cloud Functions, but I did not came across a trigger for a user signing in. Please no answers with onDisconnect/onConnect, I want it server side. A user may NOT login if he is already logged in. Thanks :)
推荐答案
实施自定义身份验证需要您有一个安全的地方来生成用于识别每个用户的自定义令牌.您不能仅使用客户端代码安全地做到这一点,因为这意味着每个人都可以声称自己是他们想要的任何人.
Implementing custom authentication requires that you have a secure place to mint the custom token that identifies each of your users. You cannot do this securely with only client-side code, because that would mean everyone could claim to be whoever they want.
虽然您可以使用 Cloud Functions for Firebase在不启动自己的服务器的情况下实现安全的后端,我强烈建议不要仅仅为了防止用户从多个位置登录而这样做.
While you can use Cloud Functions for Firebase to implement a secure back-end without spinning up your own server, I highly recommend against doing that just for the purpose of preventing a user to sign in from multiple locations.
在谈论安全性时,将这两个步骤分开很重要:
It's important when talking about security to split these two steps:
- 身份验证 - 证明用户身份的用户
- 授权 - 能够使用您的应用的经过身份验证的用户
很少有理由阻止用户证明他们是谁.您的担忧似乎在于阻止他们从多个位置使用该应用程序.为此,可能更容易从 使用 Firebase 数据库的在线状态系统.
There very seldom is a reason to keep a user from proving who they are. Your concern seems to fall onto keeping them from using the app from multiple locations. To do that, it's probably easier to track for each user where they are using the app from already using Firebase Database's presence system.
另见:
这篇关于“将此文件复制到您的身份验证服务器"- Firebase 自定义身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
