我可以根据实例ID设置Firebase数据库规则吗？ [英] Can I set Firebase Database rules based on Instance ID?

问题描述

我是Firebase数据库的新手，并不打算使用Firebase身份验证。

可以根据Firebase实例ID设置Firebase数据库规则，而不是通过身份验证的用户ID？

这是我想要实现的结构：

pre > / instanceIDs
/ iid1
/ somedata
/ someotherdata
/ iid2
...
/ iid3
...


我想限制读/写权限仅限于特定的实例ID任何人都可以展示如何设置这样的规则？

否则，如果我为所有用户设置读/写为true ，安全风险是什么？
如果我的本地移动应用程序代码只读取/写入特定实例ID分支，我可以期待一些安全问题吗？

解决方案

使用Firebase云消息传递的应用中的实例ID标识了该特定设备上该特定应用的安装。此值在Firebase安全规则中不可用。

尽管基于此实例ID进行安全性听起来像是一个有趣的想法，但从长远来看，这将不起作用。 实例ID可以随时间变化，每个那么设备将无法访问其数据。

访问Firebase（数据库和存储）通常基于应用的用户。与实例ID不同，用户的ID随时间稳定：意味着同一个用户将始终具有相同的UID，因此可以访问相同的资源。如果您不想让用户登录，则可以使用 Firebase的匿名认证。

PS：如果您想尝试使用Instance ID来保护访问，您可以轻松地将Instance ID传递给服务器，从其中创建一个Firebase身份验证令牌（您可以） =https://firebase.google.com/docs/functions/use-cases#other_ways_to_integrate_with_third-party_services_and_apis =nofollow noreferrer>使用云端函数），然后使用该自定义标记进行登录。

I am new to Firebase Database and I am not planning to use the Firebase Authentication.

Is it possibile to set Firebase Database rules based on the Firebase Instance ID, rather than on the authenticated User ID ?

This is the structure I am thinking to implement:

/instanceIDs
    /iid1
         /somedata
         /someotherdata
    /iid2
         ...
    /iid3
         ...

and I would like to restrict read/write permission only to that specific instance ID

anyone can show how to set such rule?

Otherwise, if I set read/write to true for all users, what is the security risk? If my native mobile app code only reads/writes on the specific instance ID branch, can I expect some security issues?

解决方案

The Instance ID in an app that uses Firebase Cloud Messaging identifies the installation of that specific app on that specific device. This value is not available in Firebase security rules.

While it sounds like an interesting idea to secure based on this instance ID, it would in longer term not work. The Instance ID can change over time, and every time that happens, the device would lose access to its data.

Access to Firebase (database and storage) is typically based on the user of the app. Unlike the Instance ID, the user's ID is stable over time: meaning that the same user will always have the same UID and thus have access to the same resources. If you don't want to ask your users to sign in, you can use Firebase's anonymous authentication.

PS: if you feel like experimenting with using the Instance ID to secure access, you can easily pass the Instance ID to a server, mint a Firebase Authentication token from it (you could use Cloud Functions for this), and then use that custom token to sign in.

这篇关于我可以根据实例ID设置Firebase数据库规则吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！