堆栈内存溢出
  简体   繁体   English

Firebase安全规则,如何对客户端应用而非用户进行身份验证?

[英]Firebase security rules, How to authenticate client app, not the users?

 原文  2019-07-27 06:48:13       firebase/ authentication/ google-cloud-platform/ firebase-security-rules

问题描述

As I understand firebase security rules are for authenticating different types of users and provide authorization based on that, but what if my application doesn't need users to register at all? 据我了解,firebase安全规则用于对不同类型的用户进行身份验证并基于该身份提供授权,但是如果我的应用程序根本不需要用户注册,该怎么办? What if I just need to authenticate the application, not the users? 如果我只需要认证应用程序而不是用户认证怎么办? What I mean by that is, I need to assure that particular firebase products are only accessed through an given application. 我的意思是,我需要确保仅通过给定的应用程序访问特定的Firebase产品。

What I currently do to achieve that is, just make the security rules public assuming that the specific firebase sdk does the authentication stuff, but when I do that, I get the weird warning from the firebase console that security rules shouldn't be public. 我目前要实现的目标是,假设特定的Firebase sdk进行身份验证工作,然后公开安全规则,但是当我这样做时,我从Firebase控制台收到奇怪的警告,即安全规则不应公开。 What am I doing wrong? 我究竟做错了什么?

Another question, shouldn't we authenticate any application trying to access the firebase products even before starting the user authentication? 另一个问题,我们是否不应该在开始用户认证之前就对尝试访问Firebase产品的任何应用程序进行认证?

I also would like to learn how this is done generally (best practices) when developing serverless applications with firebase/google cloud platform products. 我还想了解在使用Firebase / google cloud平台产品开发无服务器应用程序时通常如何完成此操作(最佳做法)。

1 个解决方案

解决方案1
 0  2019-07-27 06:59:12

Firebase security rules don't support authenticating apps, only users. Firebase安全规则不支持仅对用户进行身份验证的应用程序。 Authentication of an app would be pretty easy to simulate by an attacker, as all you would need is the secret compiled into the app in order to fool the rule. 攻击者很容易模拟应用程序的身份验证,因为您所需要做的就是将应用程序中的机密编译出来以欺骗规则。 Even if you obfuscate the secret data, it's still just public data, and someone will figure out how to use it. 即使混淆了秘密数据,它仍然只是公共数据,有人会弄清楚如何使用它。

Once you ship an app to the world, you should consider everything in it to be public information, no matter how hard you might think it would be to extract that information (it's not that hard, really). 一旦你船的应用世界,你应该考虑一切都在它是公共信息,不管你怎么可能很难认为这将是提取该信息(这并不难,真的)。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 根据 firebase rest api 安全规则对用户进行身份验证 - Authenticate an user on firebase rest api security rules 如何设置安全规则以防止其他用户在 firebase 中更新数据 - how to set security rules to prevent updating of data by other users in firebase 如何允许现有用户仅编辑其数据? (Firebase安全规则) - How to allow existing users to edit their data only? (Firebase security rules) 如何使用 firebase 规则进行身份验证(RESTful) - How to authenticate with firebase rules (RESTful) nodejs 应用程序的 Firebase 安全规则 - Firebase security rules for nodejs app Firebase:协作应用的安全规则 - Firebase: Security rules for a collaborative app 如何为Android App设置Firebase数据库安全规则 - How can I set Firebase Database Security Rules for Android App VueJs CRUD 应用程序和 Firebase 授权不起作用? 尝试支持 Auth 用户的安全规则 - VueJs CRUD app and Firebase Authorization not working? Trying to shore up security rules for Auth Users firebase中如何给用户设置规则? - How to set rules to users in firebase? 不使用 Firebase 安全规则怎么会有安全风险? - How is not using Firebase Security Rules a security risk?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM