堆栈内存溢出
  简体   繁体   English

每个用户的Firebase安全性

[英]Firebase security per user

 原文  2015-06-17 15:33:15       javascript/ html/ security/ firebase/ firebase-security

问题描述

I'm working on a site, using firebase 我正在使用Firebase在网站上工作
The security was: 安全性是: 

{
  "rules": {
    "users": {
      ".read": true,
      ".write": true
    }
  }
}

So everyone can add their info, but none can access the main part. 因此,每个人都可以添加自己的信息,但是没有人可以访问主体。
But when someone now types this in the console: 但是,当有人现在在控制台中键入以下内容时: 

ref = new Firebase("https://xxx.firebaseio.com/users");
ref.createUser({
        email: email,
        password: password
}, function(error, userData) {});
ref.authWithPassword({
        email: email,
        password: password
    }, function(error, authData) {));
ref.remove();

all userdata will be removed. 所有用户数据将被删除。 All users have their own uid (eg simplelogin:58 ) and storageID (eg -Js18LFoT0SmFi2Iq4GP ) 所有用户都有自己的uid(例如, simplelogin:58 )和storageID(例如, -Js18LFoT0SmFi2Iq4GP
could I maybe do something with those? 我可以和那些做些什么吗? I really don't want anyone to be able to remove all of my user data, but I need to let the users edit their own info, and to remove their account when they'd like to. 我确实不希望任何人都可以删除我的所有用户数据,但是我需要让用户编辑自己的信息,并在需要时删除他们的帐户。

Here's some of my code: 这是我的一些代码: 

function register() {
    var ref = new Firebase("https://fiery-heat-xxx.firebaseio.com/");
    ref.createUser({
        email: email,
        password: password
    }, function(error, userData) {
        if (error) {
            alert("Error creating user: " + error)
        } else {
            console.log("Successfully created user account with uid:", userData.uid);
            var uid = userData.uid


            var usersRef = new Firebase("https://fiery-heat-xxx.firebaseio.com/users/" + uid)
            var newUser = usersRef.set({
                faveShow1: "",
                faveShow2: "",
                faveShow3: "",
                faveShow4: "",
                faveShow5: "",
                faveShow6: "",
                faveShow7: "",
                faveShow8: "",
                faveShow9: "",
                faveShow10: "",
                uid: uid
            });
            //var key = newUser.key();
            //console.log(key)
            login();
        }
    });
}

function login() {
  clear();
    var ref = new Firebase("https://fiery-heat-xxx.firebaseio.com/");
    ref.authWithPassword({
        email: email,
        password: password
    }, function(error, authData) {
        if (error) {
            alert("Login Failed!" + error);
        } else {
            console.log("Authenticated successfully with payload:", authData);

            thisAuthData = authData.uid;
            var usersRef = new Firebase("https://fiery-heat-xxx.firebaseio.com/users/" + thisAuthData);

            usersRef.on("value", function(snapshot) {
                for (var i = 0; i < 1; i++) {
console.log(snapshot.val())
                    if (true) {
                        globalAuthData = snapshot.val();
                        //globalKey = amount;
                        var SS = snapshot.val()
                        show1 = SS.faveShow1;
                        show2 = SS.faveShow2;
                        show3 = SS.faveShow3;
                        show4 = SS.faveShow4;
                        show5 = SS.faveShow5;
                        show6 = SS.faveShow6;
                        show7 = SS.faveShow7;
                        show8 = SS.faveShow8;
                        show9 = SS.faveShow9;
                        show10 = SS.faveShow10;
                        //...//




                    }
                }

            }, function(errorObject) {
                alert("The read failed: " + errorObject.code);
            });




        }
    });
}

function removeUser() {
  clear();
    var ref = new Firebase("https://fiery-heat-xxx.firebaseio.com/");
    var refSer = new Firebase("https://fiery-heat-xxx.firebaseio.com/users/" + thisAuthData)


    ref.removeUser({
        email: email,
        password: password
    }, function(error) {
        if (error === null) {
            alert("User removed successfully");
            refSer.remove();
            logoff();
        } else {
            console.log("Error removing user:", error);
        }
    });
}

function edit() {
  clear();
    var fredNameRef = new Firebase('https://fiery-heat-xxx.firebaseio.com/users/' + thisAuthData);
    var onComplete = function(error) {
        if (error) {
            console.log('Synchronization failed');
        } else {
            console.log('Synchronization succeeded');
            console.log(thisAuthData);
            console.log(globalAuthData);
            login();
        }
    };
    if (document.getElementById("form1").value != "") {
        var show1 = document.getElementById("form1").value;
    }
    var show2 = document.getElementById("form2").value;
    var show3 = document.getElementById("form3").value;
    var show4 = document.getElementById("form4").value;
    var show5 = document.getElementById("form5").value;
    var show6 = document.getElementById("form6").value;
    var show7 = document.getElementById("form7").value;
    var show8 = document.getElementById("form8").value;
    var show9 = document.getElementById("form9").value;
    var show10 = document.getElementById("form10").value;


    fredNameRef.update({
        faveShow1: show1,
        faveShow2: show2,
        faveShow3: show3,
        faveShow4: show4,
        faveShow5: show5,
        faveShow6: show6,
        faveShow7: show7,
        faveShow8: show8,
        faveShow9: show9,
        faveShow10: show10,
    }, onComplete);

}

function logoff() {
  clear()
    var ref = new Firebase('https://fiery-heat-xxx.firebaseio.com/')
    ref.unauth();
    //...//
    }
}

and my securety rules: 和我的安全规则: 

{
  "rules": {
    "users": {
      "$user_id": {
         ".write": "$user_id === auth.uid"
      },
     ".read": true
    }
  }
}

But I can't register or update right now... 但是我现在无法注册或更新...

1 个解决方案

解决方案1
 2  2015-06-18 05:30:09

To make sure a user's information can only be edited by that user, you want to use auth.uid . 要确保用户的信息只能由该用户编辑,您想使用auth.uid

https://www.firebase.com/docs/web/guide/understanding-security.html https://www.firebase.com/docs/web/guide/understanding-security.html

The most important built-in variable is auth. 最重要的内置变量是auth。 This variable is populated after your user authenticates. 用户进行身份验证后,将填充此变量。 It contains data about them and auth.uid , a unique, alphanumeric identifier that works across providers. 它包含有关它们和auth.uid的数据, auth.uid是可跨提供程序使用的唯一字母数字标识符。 The auth variable is the foundation of many rules. auth变量是许多规则的基础。 

{
  "rules": {
    "users": {
      "$user_id": {
        ".write": "$user_id === auth.uid"
      }
    }
  }
}

To make it a little more clear, auth.uid refers to the currently logged in user, and $user_id refers to the location in database. 为了更清楚一点, auth.uid是指当前登录的用户, $user_id是指数据库中的位置。 The $ points to the $location rule variable: $指向$location规则变量:

https://www.firebase.com/docs/security/api/rule/path.html https://www.firebase.com/docs/security/api/rule/path.html 

{   "rules": {
    "users": {
      "$user": {
        ".read": "auth.uid === $user",
        ".write": "auth.uid === $user"
      }
    }  
  } 
}

When a user authenticates to a Firebase app, three things happen: 当用户通过Firebase应用进行身份验证时,会发生三件事:

  • Information about the user is returned in callbacks on the client device. 在客户端设备上的回调中返回有关用户的信息。 This allows you to customize your app's user experience for that specific user. 这使您可以为该特定用户自定义应用程序的用户体验。

  • The user information returned contains a uid (a unique ID), which is guaranteed to be distinct across all providers, and to never change for a specific authenticated user. 返回的用户信息包含一个uid(唯一ID),该ID在所有提供程序中均保证是不同的,并且对于特定的经过身份验证的用户而言永远不会更改。 The uid is a String that contains the name of the provider you're authenticating with, followed by a colon and a unique id returned from the provider. uid是一个字符串,其中包含要进行身份验证的提供程序的名称,后跟冒号和从提供程序返回的唯一ID。

  • The value of the auth variable in your app's Security and Firebase Rules becomes defined. 应用程序的“安全性和Firebase规则”中的auth变量的值已定义。 This variable is null for unauthenticated users, but for authenticated users it is an object containing the user's unique (auth.uid) and potentially other data about the user. 对于未经身份验证的用户,此变量为null,但对于经过身份验证的用户,此变量是一个对象,其中包含用户的唯一身份(auth.uid)和有关该用户的其他数据。 This allows you to securely control data access on a per-user basis. 这使您可以安全地控制每个用户的数据访问。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Firebase 和用户个人资料“安全” - Firebase & User Profile "Security" 具有用户角色的FireBase安全规则 - FireBase Security Rules with User roles Firebase安全规则Emberfire每个节点的多个访问级别 - Firebase Security Rules Emberfire Multiple Access Levels Per Node Firebase安全规则中的用户和组权限 - User and group permissions in firebase security rules Firebase安全规则私人用户数据 - Firebase Security Rules Private User Data Firebase RTDB 安全规则限制用户数据的整体大小? - Firebase RTDB Security Rules limit overall size of user data? Firebase 安全规则与基于用户的访问 - 权限被拒绝错误 - Firebase security rule with user based access - Permission denied error 使用javascript创建用户帐户时出现Firebase安全问题 - Firebase Security issue in creating user accounts using javascript 从登录的用户获取电子邮件(Firebase安全规则) - Get email from user logged in (Firebase security rules) Firebase安全规则不起作用 - The Firebase security rules not works
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM