使用带有Firebase的NodeJ - 安全性 [英] Using NodeJs with Firebase - Security
问题描述
我的问题是关于使用客户端Firebase的最佳方法库和Nodejs库在使用Simple Email&密码API。如果我执行身份验证客户端,然后在NodeJS端调用不同的路由,那么将在请求中携带该用户的身份验证。在Node中验证用户的方法是什么?
我假设的一种方法是获取当前用户的用户名和密码。然后发布到NodeJS,然后使用服务器上的firebase安全API进行测试。 在这里您需要安全地向您的NodeJS服务器传达客户端是否已通过Firebase身份验证。有几种方法可以解决这个问题,但最简单的方法是让所有客户端的NodeJS通信都通过Firebase本身。
客户端击中由您的NodeJS服务器服务的REST端点,让客户端写入您的NodeJS服务器正在监视的Firebase位置。然后,您可以使用Firebase安全规则来验证客户端写入的数据,并且您的服务器可以信任它。
例如,如果您想使用户可以发送任何通过你的应用程序的电子邮件(你的NodeJS服务器负责实际发送电子邮件),你可以有一个/ emails_to_send位置的规则是这样的: {
rules:{
emails_to_send:{
$ id:{
.write:!data.exists( )& newData.child('from')。val()== auth.email,
.validate:newData.hasChildren(['from','to','subject' ,'body'])
$ b $ $ $ $ $
然后在客户端你可以做:
$ $ $ $ $ $ $ $ ref.child('emails_to_send')。push({
from:'my_email@foo.com',
to:'joe@example.com',
主题:'hi',
body:'嘿,怎么了?它会去吗?'
});
在您的NodeJS代码中,您可以使用Firebase秘密调用.auth()并写下所有的东西),然后做:
$ b $ pre $ code ref.child('emails_to_send')。('child_added',function(emailSnap ){
var email = emailSnap.val();
sendEmailHelper(email.from,email.to,email.subject,email.body);
//删除它现在我们已经处理了它。
emailSnap.ref()。remove();
});
这将会是最简单也是最正确的解决方案。例如,如果用户通过Firebase注销,他们将无法再写入Firebase,因此他们将无法再让您的NodeJS服务器发送电子邮件,这很可能是您想要的行为。这也意味着如果你的服务器暂时关闭,当你开始备份时,它会赶上发送电子邮件,一切都将继续工作。
Due to the need to do some server side code - mainly sending emails I have decided to use Nodejs & Express for the server side element along with Firebase to hold the data - Partly from a learning experience.
My question is whats the best approach with regards to using the client side Firebase library and the Nodejs library when doing authentication using the Simple Email & Password API. If I do the authentication client side and then subsequently call a different route on the NodeJS side will the authentication for that user be carried across in the request. What would be the approach to test the user is authenticated within Node.
One approach I assume is to get the current users username & password from firebase and then post these to NodeJS and then use the firebase security API on the server to test.
Essentially the problem here is you need to securely convey to your NodeJS server who the client is authenticated as to Firebase. There are several ways you could go about this, but the easiest is probably to have all of your client<->NodeJS communication go through Firebase itself.
So instead of having the client hit a REST endpoint served by your NodeJS server, have the client write to a Firebase location that your NodeJS server is monitoring. Then you can use Firebase Security Rules to validate the data written by the client and your server can trust it.
For example, if you wanted to make it so users could send arbitrary emails through your app (with your NodeJS server taking care of actually sending the emails), you could have a /emails_to_send location with rules something like this:
{
"rules": {
"emails_to_send": {
"$id": {
".write": "!data.exists() && newData.child('from').val() == auth.email",
".validate": "newData.hasChildren(['from', 'to', 'subject', 'body'])"
}
}
}
}
Then in the client you can do:
ref.child('emails_to_send').push({
from: 'my_email@foo.com',
to: 'joe@example.com',
subject: 'hi',
body: 'Hey, how\'s it going?'
});
And in your NodeJS code you could call .auth() with your Firebase Secret (so you can read and write everything) and then do:
ref.child('emails_to_send').on('child_added', function(emailSnap) {
var email = emailSnap.val();
sendEmailHelper(email.from, email.to, email.subject, email.body);
// Remove it now that we've processed it.
emailSnap.ref().remove();
});
This is going to be the easiest as well as the most correct solution. For example, if the user logs out via Firebase, they'll no longer be able to write to Firebase so they'll no longer be able to make your NodeJS server send emails, which is most likely the behavior you'd want. It also means if your server is temporarily down, when you start it back up, it'll "catch up" sending emails and everything will continue to work.
这篇关于使用带有Firebase的NodeJ - 安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
