用Firebase的push()/ childByAutoID生成的名称的唯一性保证是什么?
[英]What are the uniqueness guarantees of names generated with Firebase's push()/childByAutoID?
问题描述
I'd like to use Firebase to make publicly-readable data whose location is difficult to guess. 
我想使用Firebase制作位置难以猜测的公开可读数据。 So, to give someone access to the data stored in "element [element ID = X]", I'd like to just send them "X", instead of sending them "X" along with a security token crafted to give them access to the element. 因此,要让某人访问存储在“ element [element [element ID = X]”中的数据”,我想只向他们发送“ X”,而不是向他们发送“ X”以及旨在赋予他们访问权限的安全令牌元素。 Firebase's push() and childByAutoID seem like a natural fit: I can grant public read access to all individual elements, but deny public listing. Firebase的push()和childByAutoID看起来很自然:我可以授予公众对所有单个元素的读取权限,但拒绝公开列表。 My code will be blissfully free of token and random number generation. 我的代码将完全没有令牌和随机数生成。 The automatically generated ID is supposed to be unique, and thus should be difficult to guess. 自动生成的ID应该是唯一的,因此应该难以猜测。
From looking at Firebase.js , it appears the first 8 characters of the automatically generated ID are based on the current timestamp, and the next 12 characters are randomly generated using Math.random() . 通过查看Firebase.js ,似乎自动生成的ID的前8个字符是基于当前时间戳记的,接下来的12个字符是使用Math.random()随机生成的。 I assume that the iOS framework does the same thing, and although I can't see the code, the library links to both SecRandomCopyBytes and arc4random . 我假设iOS框架做同样的事情,尽管我看不到代码,但是库链接到SecRandomCopyBytes和arc4random 。
For my purposes, this looks good enough, but has anyone seen guidance from Firebase on whether we can count on this behavior? 就我而言,这看起来已经足够好了,但是有没有人看到Firebase提供的关于我们是否可以依靠这种行为的指导? I would hate to build code that assumes these names are relatively strong random strings and then have that assumption violated when I upgraded to a newer version of Firebase. 我讨厌构建假定这些名称是相对强壮的随机字符串的代码,然后在升级到较新版本的Firebase时违反了该假设。
1 个解决方案
解决方案1
4 已采纳 2014-01-08 17:23:20
The purpose of the auto-generated IDs provided by Firebase is to allow the developer to create a chronologically ordered list in a distributed manner. Firebase提供的自动生成的ID的目的是允许开发人员以分布式方式创建按时间顺序排列的列表。 It relies on Math.random and the timestamp to generate an ID unique to that client. 它依靠Math.random和时间戳生成该客户端唯一的ID。
However, if you're going to use the auto IDs as security keys, it may not be the best idea depending on how secure you want your system to be. 但是,如果您打算将自动ID用作安全密钥,则取决于您希望系统的安全程度,它可能不是最好的主意。 Math.random is not a cryptographically secure random number generator and since push() relies on it, the IDs generated by it aren't either. Math.random 不是加密安全的随机数生成器,并且由于push()依赖于它,因此它生成的ID也不是。
The general concept of giving a user access to some data in Firebase if they know the key is a good one though. 但是,一般的概念是让用户访问Firebase中的某些数据(如果他们知道密钥的话)。 We have an example of using this type of security rule, but instead of using push IDs, we use a SHA-256 hash of the content itself (in this particular case, they are images). 我们有一个使用这种类型的安全规则的示例 ,但不是使用推送ID,而是使用内容本身的SHA-256哈希(在这种情况下,它们是图像)。 Hashing the content to generate the keys is more secure than relying on push() IDs. 散列内容以生成密钥比依赖push()ID更安全。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.