[英]Firebase email / password createUser security
I'm using Firebase 2.x. 我正在使用Firebase2.x。 If I enable email/password security, how do I prevent a malicious pre-existing user from writing their own javascript code that would do authenticate with my Firebase and then launch a createUser attack?
如果我启用了电子邮件/密码安全性,如何防止恶意的既存用户编写自己的JavaScript代码以对Firebase进行身份验证,然后发起createUser攻击? Hypothetically, it might look like this:
假设地,它可能看起来像这样:
var ref = new Firebase(my_fire_base);
ref.authWithPassword({ email : 'pre@existing.com', password: 'validpassword' },
function(error, authData) {
if (!error) {
ref.createUser( ... ); // do this a bunch of times
}
});
Since this question was cross-posted to Google Groups , I'll quote the answer that was given there : 由于此问题是交叉发布到Google网上论坛的 ,因此我将引用那里给出的答案:
You do not need to be authenticated to call createUser().
您无需通过身份验证即可调用createUser()。 This is by design and how all registration systems work.
这是设计使然,以及所有注册系统如何工作。 It is possible for a malicious client to call createUser() a gazillion times, but this is where we build rate limiting into the service we provide and prevent people from doing this.
恶意客户端可能会无数次地调用createUser(),但这是我们在所提供的服务中内置速率限制并阻止人们这样做的地方。 You cannot restrict by specific origins, and even if you could, as you mentioned, this can be easily spoofed.
您不能限制特定的来历,即使您可以像您提到的那样,也可以很容易地进行欺骗。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.