在使用JavaScript创建用户帐户时的Firebase安全问题 [英] Firebase Security issue in creating user accounts using javascript
问题描述
我已经使用javascript在firebase中创建用户,这是firebase指南中给出的代码。
var ref =新的Firebase(https://< YOUR-FIREBASE-APP> .firebaseio.com);
pre>
ref.createUser({
email:bobtony@firebase.com,
password:correcthorsebatterystaple
}
此数据适用于任何来自浏览器控制台的用户,可能是安全威胁(任何人都可以为自己创建帐户)
是否有任何安全我可以采取措施,以防止这种情况发生?
解决方案
绝对,
firebase处理安全性的方式有些不同(通过他们自己的承认),这里有一些基本的概念:
$ b认证
Firebase提供了允许进行身份验证的工具,其中包括
- 与Facebook,GitHub,Google和Twitter身份验证提供程序的集成
- 电子邮件和密码登录以及帐户管理
- 单一会话匿名登录 >
授权
F irebase允许通过帐户信息中心指定生活在Firebase服务器上的规则。
数据验证
Firebase在语言中有一组规则,包括。
validate
规则。使用它来指定声明式验证规则,就像.read
和.write
规则
在您的具体情况下,我会编写声明性规则来限制您的应用程序的写入权限。例如:
{
rules:{
usersLocation:{
.read:true,
.write:false,
}
}
}
I've been using javascript to create users in firebase .this is the code given in the firebase guide
var ref = new Firebase("https://<YOUR-FIREBASE-APP>.firebaseio.com"); ref.createUser({ email : "bobtony@firebase.com", password : "correcthorsebatterystaple" }
this data is available for anyone from the browser console and can be a security threat (any one can create an account for themselves) Is there any security measure i can take to prevent this ?
解决方案Absolutely,
The way firebase handles security is a bit different (by their own admission). Here are the basic concepts:
Authentication
Firebase provides tools allowing for authentication, These include
- Integrations with Facebook, GitHub, Google, and Twitter authentication providers
- Email & password login, and account management
- Single-session anonymous login
- and custom login tokens
Authorization
Firebase allows specify rules that live on the Firebase servers via an Account Dashboard
Data Validation
Firebase has a set of rules in the language that includes a .validate
rule. Use it to specify declarative validation rules just like .read
and .write
rules
In your specific case, I would write declarative rules to limit the write access for your app. Something like this:
{
"rules": {
"usersLocation": {
".read": true,
".write": false,
}
}
}
这篇关于在使用JavaScript创建用户帐户时的Firebase安全问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!