堆栈内存溢出
  简体   繁体   English

Flutter/Firebase:管理功能是应用内功能还是云功能?

[英]Flutter/Firebase: Admin features in-app or cloud functions?

 原文  2020-01-14 19:42:13       firebase/ flutter/ google-cloud-firestore/ firebase-authentication/ google-cloud-functions

问题描述

I'm writing an app with Flutter and Firebase (using both Firestore, Storage and Authentication so far).我正在编写一个带有 Flutter 和 Firebase 的应用程序(到目前为止同时使用 Firestore、存储和身份验证)。

Currently the app shows content from Firebase, but now I'm trying to figure out how the best way is to implement writing/editing/removing stuff in Firebase.目前该应用程序显示来自 Firebase 的内容,但现在我正在尝试找出在 Firebase 中实现写入/编辑/删除内容的最佳方法。

The goal is to have users with admin privileges.目标是让用户拥有管理员权限。

My question is if I can build an Admin Panel inside the client app (which would be ideal), or if that's considered bad practice and I should build an Admin Panel in another app and using Cloud Functions.我的问题是我是否可以在客户端应用程序中构建一个管理面板(这将是理想的),或者这是否被认为是不好的做法,我应该在另一个应用程序中构建一个管理面板并使用 Cloud Functions。

For example, currently I perform Authentication (signup/register) in the Flutter/Dart code and when registering it creates a field in Firestore isAdmin = false , which I then can manually set to true (if I want) in the Firestore console.例如,目前我在 Flutter/Dart 代码中执行身份验证(注册/注册),并在注册时在 Firestore isAdmin = false中创建一个字段,然后我可以在 Firestore 控制台中手动将其设置为 true(如果我愿意)。 Could this somehow be an "unsafe" way of doing this?这可能是一种“不安全”的方式吗?

2 个解决方案

解决方案1
 6 已采纳  2020-01-14 20:10:50

The goal is to have users with admin privileges目标是让用户拥有管理员权限

Since you are using the Authentication service you already have half of the solution: with authentication you can identify each user who is using your app.由于您正在使用身份验证服务,您已经拥有了一半的解决方案:通过身份验证,您可以识别使用您的应用程序的每个用户。

The other part is Authorization : this is normally done with Security Rules in Firebase, both for Firestore and Cloud Storage.另一部分是授权:这通常是通过 Firebase 中的安全规则完成的,包括 Firestore 和 Cloud Storage。

To be able to authorize certain users (identified through authentication ) with Admin privileges, you need to know which users have the admin role in such a way you authorized them to execute the admin functions.为了能够授权某些用户(通过身份验证识别)具有管理员权限,您需要知道哪些用户具有管理员角色,以便授权他们执行管理员功能。

One possible way to identify the admin users is to have an isAdmin flag in some user documents in Firestore, as you mention in your question.正如您在问题中提到的,识别管理员用户的一种可能方法是在 Firestore 的某些用户文档中使用isAdmin标志。 There is an example of Firestore Security Rule using this approach in the documentation . 文档中有一个使用这种方法的 Firestore 安全规则示例。

HOWEVER , you will encounter some problem if you want to use this flag (stored in Firestore) with Security Rules for Cloud Storage.但是,如果您想将此标志(存储在 Firestore 中)与云存储的安全规则一起使用,则会遇到一些问题。 At the time of writing, it is not possible to read the value of a Firestore document in Security Rules for Cloud Storage.在撰写本文时,无法在 Cloud Storage 的安全规则中读取 Firestore 文档的值。

The solution is to use Custom Claims .解决方案是使用Custom Claims You will find all the details in the doc on how to implement it in such a way it fulfill your needs.您将在文档中找到有关如何以满足您需求的方式实施它的所有详细信息。

Can I build an Admin Panel inside the client app?我可以在客户端应用程序中构建管理面板吗?

Yes, you can very well do that.是的,你可以很好地做到这一点。 As soon as your security is correctly implemented (through Authentication and Security Rules, as explained above), there is nothing that prevents you to develop an Admin panel.只要您的安全性得到正确实施(通过身份验证和安全规则,如上所述),就没有什么可以阻止您开发管理面板。 If a user that is not admin can access the Admin panel, he/she will not be able to perform the admin actions (ie writing/editing/removing Firestore or Cloud Storage data).如果不是管理员的用户可以访问管理面板,他/她将无法执行管理员操作(即写入/编辑/删除 Firestore 或 Cloud Storage 数据)。

Moreover, with Custom Claims, you can access them in the front-end to modify the client UI based on the user's role or access level (ie showing the pages, buttons and menu items of the Admin module only to admin users -note however that this does not prevent someone to reverse engineer your app and execute the queries dedicated to admin users: this is why it is key to correctly implement the Authentication and Security Rules parts-).此外,使用自定义声明,您可以在前端访问它们,以根据用户的角色或访问级别修改客户端 UI(即,仅向管理员用户显示管理模块的页面、按钮和菜单项 - 但请注意,这不会阻止某人对您的应用程序进行逆向工程并执行专用于管理员用户的查询:这就是正确实施身份验证和安全规则部分的关键-)。 See this section in the Custom Claims doc.请参阅自定义声明文档中的此部分

Should I build an Admin Panel in another app and using Cloud Functions?我应该在另一个应用程序中构建一个管理面板并使用 Cloud Functions 吗?

If you don't want to over-complexify your app with some logic to hide/show the Admin panel elements (based on Custom Claims, see above) you can very well build the Admin Panel in another app.如果您不想使用某些逻辑来使您的应用程序过于复杂以隐藏/显示管理面板元素(基于自定义声明,请参见上文),您可以在另一个应用程序中构建管理面板。

If you have specific needs/access restrictions that cannot be implemented through standard Security Rules you could very well use some Cloud Functions to check the user is an admin and to execute the writing/editing/removing admin actions (note however that while it is quite easy to interact with Firestore from a Cloud Function, it can be a bit more tricky with Storage: using the Cloud Storage Client SDKs is much easier than interacting with Cloud Storage through Cloud Functions).如果您有无法通过标准安全规则实现的特定需求/访问限制,您可以很好地使用一些 Cloud Functions 来检查用户是管理员并执行写入/编辑/删除管理员操作(但请注意,虽然它很从 Cloud Functions 与 Firestore 进行交互很容易,但使用 Storage 可能有点棘手:使用 Cloud Storage 客户端 SDK 比通过 Cloud Functions 与 Cloud Storage 交互要容易得多)。

You would preferably use Callable Cloud Functions, since "with callables, Firebase Authentication and FCM tokens, when available, are automatically included in requests".您最好使用 Callable Cloud Functions,因为“使用可调用函数,Firebase 身份验证和 FCM 令牌(如果可用)会自动包含在请求中”。 (See https://firebase.google.com/docs/functions/callable ). (请参阅https://firebase.google.com/docs/functions/callable )。

Side Note: You may be interested by this article , which details how to to create an Admin module for managing users access and roles.旁注:您可能对本文感兴趣,它详细介绍了如何创建管理模块来管理用户访问和角色。 (Disclaimer: I'm the author). (免责声明:我是作者)。

解决方案2
 0  2022-09-08 00:45:42

the idea of creating an admin panel for any flutter app为任何 flutter 应用程序创建管理面板的想法

The idea is for two applications with different names and they will be linked to each other with Firebase这个想法是针对两个具有不同名称的应用程序,它们将通过 Firebase 相互链接

for more details see the video from the link https://youtu.be/d7qoff-I8BU有关更多详细信息,请参阅链接https://youtu.be/d7qoff-I8BU中的视频

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Firebase 管理员 SDK 具有用于云存储的云功能 - Firebase Admin SDK with Cloud functions for cloud storage 在 firebase 云功能中具有 typescript 的 firebase-admin - firebase-admin with typescript in firebase cloud functions Firebase 管理员的云功能定价 SDK - Firebase Cloud Functions pricing for Admin SDK 在 firebase 云函数 flutter 中发送计划 email - Send schedule email in firebase cloud functions flutter 使用 Firebase 管理员 SDK,无法部署 Firebase 跨多个文件拆分的云功能:“默认 Firebase 应用程序已存在” - Using Firebase Admin SDK, Unable to Deploy Firebase Cloud Functions Split Across Multiple Files: "The default Firebase app already exists" Firebase 云消息在 Android 和 Flutter 应用程序上不工作 - Firebase Cloud Messaging not working on Android with Flutter app 使用 admin sdk 和 Firebase 云函数从 Firestore 检索对象数组 - Retrieving an array of objects from Firestore with the admin sdk and Firebase cloud functions Cloud Functions 模拟器需要安装模块“firebase-admin” - The Cloud Functions emulator requires the module "firebase-admin" to be installed Express 应用程序是否始终在 Firebase Cloud Functions 中运行? - Is an express app always running in Firebase Cloud Functions? Google Cloud Functions Firebase 错误 默认的 Firebase 应用已经存在 - Google Cloud Functions Firebase Error The default Firebase app already exists
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM