为Firebase DB设置安全性的正确方法
[英]Correct way to set up security for Firebase DB
问题描述
Okay, I have the following use case for Firebase: 
好的,我有以下Firebase用例:
Client wants us to store data from a form and put it into the DB. 客户希望我们存储表单中的数据并将其放入数据库中。 This is handled on the backend with Express. 这是通过Express在后端处理的。
This has to be done pretty quickly, so I just want to make sure I do it correctly. 这必须很快完成,所以我只想确保自己正确执行了。
I currently have the rules to allow read and write access to be true. 我目前有允许读写访问为真的规则。 Would this be okay in production, given that users can only input data through the form? 假设用户只能通过表格输入数据,在生产环境中可以吗? And they wouldn't have access to the API key, so other users couldn't mess with the data? 而且他们将无法访问API密钥,因此其他用户不会搞乱数据吗?
2 个解决方案
解决方案1
3 2017-02-24 21:50:32
From your description it sounds like you have: 根据您的描述,听起来您有:
{
"rules": {
".read": true,
".write": true
}
}
This means that anyone who can find the URL for your database ( https://yours.firebaseio.com ) can write to the database. 这意味着任何可以找到您的数据库URL( https://yours.firebaseio.com )的人都可以写入数据库。 It doesn't matter if they use your form, directly use a Firebase SDK or even if they just make a REST request using curl: 无论他们使用您的表单,直接使用Firebase SDK还是他们只是使用curl发出REST请求都没关系:
curl -X DELETE 'https://yours.firebaseio.com/.json'
This last line will delete your entire database. 最后一行将删除整个数据库。 And all it takes is one malicious user or one typo while you're developing (this happens a lot more than you'd think). 在开发过程中,所需要的只是一个恶意用户或一个错字(发生的次数比您想象的要多得多)。
So you really should set up your database security rules to: 因此,您实际上应该将数据库安全规则设置为:
- validate that the data is in the correct format 验证数据格式正确
- make sure that only authenticated users can access the data that they're authorized for 确保只有经过身份验证的用户才能访问他们有权使用的数据
解决方案2
2 已采纳 2017-02-24 22:19:55
Yes, having both read and write permissions set to true is a big security hole for multiple reasons: 是的,出于多种原因,将读取和写入权限都设置为true是一个很大的安全漏洞:
- Public
readaccess creates a privacy problem for your users if you handle any personal information.如果您处理任何个人信息,则公共read访问会对您的用户造成隐私问题。 - It is also a breach of confidentiality with your client if you expose their business data to the public without their consent. 如果您在未经客户同意的情况下向客户公开他们的业务数据,这也违反了客户的机密性。
- Public
writeaccess allows anyone with your database URL to delete or modify its contents at will.公共write访问允许具有您数据库URL的任何人随意删除或修改其内容。
Also note that if your app exposes Firebase through its front-end to the users, getting your database URL is as simple as reading through the app's HTML source. 还要注意,如果您的应用通过前端向用户公开Firebase,则获取数据库URL就像阅读应用的HTML源代码一样简单。
What you can do, however 但是您可以做什么
is authenticate your app through the server side and set private access to the database. 通过服务器端对您的应用进行身份验证,并设置对数据库的私有访问。 Take a look at how to create a service account , also detailed here . 看一下如何创建服务帐户 , 这里也有详细介绍。
If you use an older version of firebase, you will have to use server tokens 如果您使用旧版本的Firebase,则必须使用服务器令牌
Hope this helps! 希望这可以帮助!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.