“将此文件复制到您的验证服务器” - Firebase自定义身份验证 [英] "Copy this file to your authentication server" - Firebase Custom auth
问题描述
这告诉我创建一个自定义的auth系统。当我关注文档时( https://firebase.google.com/docs / auth / ios / custom-auth )我需要复制这个文件到你的验证服务器(3c)。我将如何做到这一点?我只是使用Firebase和我的小iOS应用程序。我想管理这两件事情的一切,没有服务器之间,这可能吗?或者只能通过其他服务器上传这个文件?
如果上面的东西是不可能的,我怎么能检查用户是否真的登录?我正在使用云功能,但我没有遇到用户登录触发器。请不要回答onDisconnect / onConnect,我想它的服务器端。用户可能无法登录,如果他已经登录。谢谢:)
实现自定义身份验证要求您有一个安全的地方来标识标识每个用户的自定义标记。你只有客户端代码才能安全地做到这一点,因为这意味着每个人都可以声称自己是他们想要的人。
虽然你可以使用Firebase云端功能来实现安全后端,无需启动自己的服务器,我强烈建议不要这样做,只是为了防止用户从多个位置登录。
在讨论安全性以分割这两个步骤时,身份验证 - 用户证明他们是谁
很少有理由让用户无法证明他们是谁。您的担心似乎落在不让他们使用来自多个地点的应用程序。要做到这一点,可能更容易跟踪每个用户在哪里使用应用程序已经使用Firebase数据库的状态系统。
另请参阅:
My goal is to prevent users of multiple login in. I do not want this to be client-side, with like the onDisconnect and onConnect values, but with a server check. I came across this answer:
How to prevent simultaneous logins of the same user with Firebase?
Which tells me to create a custom auth system. When I am following the docs (https://firebase.google.com/docs/auth/ios/custom-auth) I need to "Copy this file to your authentication server" (3c). How would I do this? I am just using Firebase and my little iOS app. I would like to manage everything on these 2 things, no server in between, is this possible? Or can this file only be uploaded through another server?
If above things are not possible, how can I server check if the user really signed in? I am using Cloud Functions, but I did not came across a trigger for a user signing in. Please no answers with onDisconnect/onConnect, I want it server side. A user may NOT login if he is already logged in. Thanks :)
Implementing custom authentication requires that you have a secure place to mint the custom token that identifies each of your users. You cannot do this securely with only client-side code, because that would mean everyone could claim to be whoever they want.
While you can use Cloud Functions for Firebase to implement a secure back-end without spinning up your own server, I highly recommend against doing that just for the purpose of preventing a user to sign in from multiple locations.
It's important when talking about security to split these two steps:
- Authentication - a user proving to be who they are
- Authorization - the authenticated user being able to use your app
There very seldom is a reason to keep a user from proving who they are. Your concern seems to fall onto keeping them from using the app from multiple locations. To do that, it's probably easier to track for each user where they are using the app from already using Firebase Database's presence system.
Also see:
- How to handle multiple connections of the same user on Firebase?
- Android - How to detect same user from multiple devices?
- How to prevent same user logging in from different devices ? My app is paid , so I dont want credentials to be shared
这篇关于“将此文件复制到您的验证服务器” - Firebase自定义身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
