如何设置Firebase数据库规则?如何防止从被删除的用户 [英] How to set Firebase Database rules? How to prevent .write from deleted user
问题描述
- 注册到Firebase应用的新用户。 Firebase给了他一个user.UID。 然后,admin 删除或禁用来自Firebase管理控制台的用户。
- 用户刷新客户端应用程序
- (我发现)用户仍然可以写入到firebase数据库,即使他的帐户已被删除/禁用。
。
目标/意向
我想在用户不存在时将禁止访问(.read OR .write)的规则设置为firebase数据库禁用在管理控制台/(auth /用户)。
有些事情是这样的:
rules:{
$ uid:{
.write:auth.isUserActive(auth.uid)== true
code
$ b FIREBASE参考DOC: https:/ /firebase.google.com/do cs / reference / security / database /#auth
问题
<我怎样才能达到上述目的?我应该设置firebase DB的规则是什么?
解决方案删除用户不会撤销该用户的现有令牌。请参阅用户删除时未撤消Firebase身份验证?。如果您使用的是标准身份提供商之一,这意味着用户在删除账户后仍然可以访问数据一小时。
有是没有你的API代码来检查给定的uid是否仍然存在。即使这样的API存在,在这种情况下也不会有帮助,因为恶意用户可以绕过该检查并直接调用API。
一个简单的方法处理这种情况是在数据库中保留允许或禁止用户黑名单的白名单。对于黑名单,您将保留一个禁止/删除用户的顶级(世界可读,管理员唯一可写)列表:
禁止
uid12345:true
当你的管理员删除一个用户时,这个列表。
然后在您的安全规则中,您检查并禁止访问禁止的用户。例如:
posts:{
.read:auth!= null&& root.child('banned')。child(auth.uid).exists()
}
Introduction
I am building a firebase web client app. I would like set Firebase Database rules.
- New user registered to a firebase app. Firebase gave him a user.UID.
- Then, admin delete OR disabled the user from firebase admin console.
- User refresh client app.
- (I find out that) user can still write to firebase database even though his account has been deleted/disabled.
.
Goal / Intention
I would like to set a rule that prevent access (.read OR .write) to firebase database when user does not exist OR disabled in admin console/(auth/users).
Some thing like this:
"rules":{
"$uid":{
".write":"auth.isUserActive(auth.uid) == true"
}
}
.
FIREBASE REFERENCE DOC: https://firebase.google.com/docs/reference/security/database/#auth
Question
How can I achieve the above intention? What are the rules should I set to firebase DB?
解决方案 Deleting a user doesn't revoke existing tokens for that user. See Firebase authentication not revoked when user deleted?. If you're using one of the standard identity providers, this means that the users may still be able to access the data for an hour after you delete the account.
There is no API for you code to check whether a given uid still exists. And even if such an API existed, it wouldn't help in this case, since a malicious user could just bypass that check and call the API directly.
A simple way to deal with this scenario is to keep a whitelist of allowed or blacklist of disallowed users in your database. For a blacklist, you'd keep a top-level (world readable, admin only writeable) list of banned/deleted users:
banned
uid12345: true
When your admins delete a user, they also add them to this list.
And then in your security rules, you check and disallow access for banned users. E.g.:
"posts": {
".read": "auth != null && !root.child('banned').child(auth.uid).exists()"
}
这篇关于如何设置Firebase数据库规则?如何防止从被删除的用户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
