Firebase：从Pyrebase提供有限且安全的服务访问？ [英] Firebase: limited and secure service access from Pyrebase?

问题描述

使用Firebase的服务器API时，您可以提供额外的 databaseAuthVariableOverride 部分来限制服务帐户的访问权限，如在文档中。我想使用 Pyrebase ，因为它在Python中，并且支持使用服务帐户。但是，如果我在那里使用服务帐户登录，那么它可以完全访问数据库 - 写入之前的验证规则不会被检查（而我确实希望它们被检查）。

所以，这个问题有两个部分：

1. 是否可以添加对 databaseAuthVariableOverride 到Pyrebase？我发现它使用了Firebase REST API，我不知道是否支持它，我应该在哪里发送该变量。
   
2. 我可以通过不使用服务帐户来解决此问题，而是一个正常的电子邮件/密码帐户设置为特定的电子邮件，并添加根读/写规则检查 auth.email ==='< my-email> 和/或 auth.uid ==='< my-account-uid>'。这里的问题是：这是同样安全的，因为使用有限访问的服务帐户（如顶部链接）？
   
   

   解决方案

   使用使用有限权限进行身份验证或者由用电子邮件和密码登录

   
   

   When using Firebase's server API, you can provide additional databaseAuthVariableOverride section to limit access of the service account, as described in the docs. I wanted to use Pyrebase, as it's in python and supports using service accounts. However, if I log in using a service account there, it has full access to the database -- the validation rules before write are not checked (while I do want them to be checked).

   So, there are two parts to this question:

   1. Is it possible to add support for databaseAuthVariableOverride into Pyrebase at all? I see it uses Firebase REST API, and I don't know if that supports it, and where should I send that variable.
   2. I can work around this issue by not using the service account, but a normal email/password account set to a particular email, and add root read/write rules checking auth.email === '<my-email> and/or auth.uid === '<my-account-uid>'. Question here is: is this equally secure as using a service account with limited access (as linked on the top)?

   解决方案

   There is no difference in the security rules between an auth.uid that you've set using Authenticate with limited privileges or one that is determined by signing in with email&password.

   这篇关于Firebase：从Pyrebase提供有限且安全的服务访问？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！