请求数据时以及未使用Firebase身份验证的情况下,如何编写Firebase Firestore的安全规则?
[英]How to write security rules for firebase firestore when request data and in case where we have not used firebase authentication?
问题描述
I have used Firebase Firestore for database storage. 
我已使用Firebase Firestore进行数据库存储。 I had a scenario in which i need to manage users login and logout using phone number and OTP . 我有一个需要使用电话号码和OTP管理用户登录和注销的方案。 and as Firebase authentication manages authentication using email id or if you want to use it with phone number every time you need to verify it using OTP which was not feasible for my application so, I created my own process of authentication in which I am using OTP authentication once and I store users data to the collection and then after when users login I directly check it from collection. 并且由于Firebase身份验证使用电子邮件ID来管理身份验证,或者如果您想在每次需要使用OTP进行验证时都使用电话号码进行身份验证,这对于我的应用程序来说是不可行的,因此,我创建了自己的身份验证流程,其中我正在使用OTP进行一次身份验证,然后将用户数据存储到集合中,然后在用户登录后直接从集合中检查它。
It is perfectly working now but as I am facing issues while changing security rules as I want to restrict user in reading database. 它现在可以正常工作,但是由于要限制用户读取数据库,因此在更改安全规则时遇到了问题。 But I don't know how to write it as I have found many solution till now but that all were having auth in request but as I am not using auth I may not have auth in request and could find it null. 但是我不知道如何编写它,因为到目前为止我已经找到了许多解决方案,但是所有人都在请求中使用auth,但是由于我没有使用auth,所以我可能没有在请求中使用auth,并且可能发现它为null。
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write : if true;
}
}
}
I have given read and write access to all the collection so, anyone having key can access db but I want to restrict it using security rules and I have kind of found a way of restricting user when creating or updating as I will be getting resource when requesting for set or update but in case of reading or getting data it might not have resources as i am not passing any data . 我已经授予所有集合的读写访问权限,所以任何拥有密钥的人都可以访问db,但是我想使用安全规则来限制它,并且我发现了一种在创建或更新时限制用户的方法,因为当我获取资源时请求设置或更新,但是在读取或获取数据的情况下,它可能没有资源,因为我没有传递任何数据。 So please help me if you know how can I write such rules. 因此,如果您知道如何编写此类规则,请帮助我。 Thanks In Advance... 提前致谢...
1 个解决方案
解决方案1
0 2019-05-27 13:53:41
To allow only users that are authentication with Firebase access to data , you rules would be: 要仅允许通过Firebase进行身份验证的用户访问数据 ,您的规则应为:
allow read, write: if request.auth.uid != null;
It isn't possible to do the same without Firebase Authentication, as the only way to pass data about the user into security rules is through Firebase Authentication. 如果没有Firebase身份验证,则无法执行此操作,因为将有关用户的数据传递到安全规则中的唯一方法是通过Firebase身份验证。
If you have your own authentication mechanism, you can implement that as a custom provider within Firebase Authentication . 如果您拥有自己的身份验证机制,则可以在Firebase Authentication中将其实现为自定义提供程序 。 In this approach you use server-side code to generate a Firebase token based on the information you have about the user, and the information from that token then becomes available in the security rules under auth.token . 在这种方法中,您可以使用服务器端代码根据您拥有的有关用户的信息来生成Firebase令牌,然后该令牌中的信息将在auth.token下的安全规则中变为可用。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.