如何限制Firebase数据修改？ [英] How to restrict Firebase data modification?

问题描述

Firebase提供数据库后端，以便开发人员可以专注于客户端代码。

所以如果有人把我的firebase uri（例如，<$ c $然后在本地开发。

然后，他们能够从我的Firebase实例创建另一个应用程序，注册并验证自己的身份以读取我的Firebase应用程序的所有数据？ 感谢你们的这个讨论。但是，我想添加一个细节。

@Frank van Puffelen，

您提到了网络钓鱼攻击。实际上有一个方法来保证。

如果您登录到您的googleAPI API Manager控制台，您可以选择锁定您的应用将接受请求的HTTP引用从。

1. 请访问 https： //console.developers.google.com/apis


2. 转到您的Firebase项目


3. 转至凭据


4. 在API密钥下，选择与您的Firebase项目相关联的浏览器密钥（应与您用来初始化Firebase应用程序的API密钥具有相同的密钥）。


5. 接受来自这些HTTP引用者（网站）的请求，只需添加您的应用程序的URL。
   

这应该只允许列入白名单的网域使用您的应用程序。

这里还介绍了Firebase发布清单： https://firebase.google.com/support/guides/launch-checklist

也许Firebase文档可以使其更明显，或默认情况下自动锁定域，并要求用户允许acc ess？

再一次，非常感谢！

Firebase provides database back-end so that developers can focus on the client side code.

So if someone takes my firebase uri (for example, https://firebaseinstance.firebaseio.com) then develop on it locally.

Then, would they be able to create another app off my Firebase instance, signup and authenticate themselves to read all data of my Firebase app?

解决方案

Thanks to both of you for this discussion. However, I wanted to add a detail.

@Frank van Puffelen,

You mentioned the phishing attack. There actually is a way to secure for that.

If you login to your googleAPIs API Manager console, you have an option to lock down which HTTP referrer your app will accept request from.

1. visit https://console.developers.google.com/apis
2. Go to your firebase project
3. Go to credentials
4. Under API keys, select the Browser key associated with your firebase project (should have the same key as the API key you use to initialize your firebase app.)
5. Under "Accept requests from these HTTP referrers (web sites), simply add the URL of your app.

This should only allow the whitelisted domain to use your app.

This is also described here in the firebase launch-checklist here: https://firebase.google.com/support/guides/launch-checklist

Perhaps the firebase documentation could make this more visible or automatically lock down the domain by default and require users to allow access?

Again, thanks so much!

这篇关于如何限制Firebase数据修改？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！