Angular的服务是在客户端还是服务器端处理的?
[英]Angular's services processed on client-side or server-side?
问题描述
Lets say i host and serve my Angular with Firebase Hosting , and use the Angular'services to call API to my Firebase Functions , Firestore and Firebase Authentication . 
可以说我通过Firebase Hosting和服务Angular,并使用Angular'services来调用API来实现Firebase Functions , Firestore和Firebase Authentication 。
I would like to know is there a chance that the codes or processed data in Angular got a chance to leak: 我想知道Angular中的代码或处理后的数据是否有机会泄漏:
1) If I hardcoded my API key in the services, will it be a security breach to leak my API key? 1)如果我在服务中对我的API密钥进行了硬编码,那么泄露我的API密钥是否会违反安全性?
2) The data that get from Firestore to Angular Services, and the data processed in Services, are they processed in server side or client side? 2)从Firestore到Angular Services的数据以及在Services中处理的数据是在服务器端还是客户端处理的?
Thank you. 谢谢。
1 个解决方案
解决方案1
2 已采纳 2018-05-31 09:22:55
Answer to Question 1/ Your API keys will be "public", but it is not a problem, see this "famous" answer Is it safe to expose Firebase apiKey to the public? 问题1的答案/您的API密钥将是“公共的”,但这不是问题,请参阅此“著名的”答案将Firebase apiKey公开给公众是否安全? . 。 So no "security breach". 因此,没有“安全漏洞”。
Answer to Question 2/ Your Angular services are executed on the client side, so the data you get from Firestore is processed on the client side. 问题2的答案/您的Angular服务在客户端执行,因此您从Firestore获取的数据在客户端处理。 The role of Firebase Hosting is only to send your Angular files up to the client when they are needed (ie requested by the client). Firebase Hosting的作用仅是在需要时(即客户端请求)将Angular文件发送给客户端。
This means that you should probably add some security rules to your Firestore database (and build your queries accordingly) in order to sent to the client only the data he/she can read. 这意味着您可能应该在Firestore数据库中添加一些安全规则(并相应地构建查询),以便仅将他/她可以读取的数据发送给客户端。 Those Security rules are the Authorization part of the Authentication/Authorization mechanism, while Firebase Authentication would be the first part. 这些安全规则是身份验证/授权机制的授权部分,而Firebase身份验证将是第一部分。 You can read the documentation about Firestore Security rules here (note that they are something totally different than you API keys), and about Firebase Authentication here . 你可以阅读有关公司的FireStore安全规则的文档这里 (注意,他们的东西比你的API密钥完全不同),以及约火力地堡验证这里 。
Finally, note that, with Firebase, the only part of your code that runs in the back-end (ie server side) is the code you write for Cloud Functions. 最后,请注意,使用Firebase,在后端(即服务器端)运行的代码的唯一部分是您为Cloud Functions编写的代码。 So, if you call, from your Angular application, a Cloud Function (eg a HTTPS Callable function or with an HTTP request) the code of this Function will be executed on the server side and only the resulting data would be sent back to the Angular app (client side). 因此,如果您从Angular应用程序中调用云函数(例如HTTPS Callable函数或带有HTTP请求),则该函数的代码将在服务器端执行,并且仅将生成的数据发送回Angular应用(客户端)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.