简体繁体 English

如何保护客户端的 Javascript 更改

[英]How to protect Javascript changes in client side

原文 2020-01-29 09:43:25 2 3 javascript/ database/ firebase/ firebase-realtime-database/ google-cloud-firestore

I am developing an app using firestore database and I am facing certain security issues.我正在使用 firestore 数据库开发应用程序，但我面临某些安全问题。 For example, the app adds create and write the date with each form submit and check if the write date is late the user must pay penalty.例如，该应用程序在每次提交表单时添加创建和写入日期，并检查写入日期是否迟到用户必须支付罚款。 since the javascript code is visible and can be changed on the client-side, the user can modify the write date and bypass the penalty.由于 javascript 代码是可见的并且可以在客户端进行更改，因此用户可以修改写入日期并绕过惩罚。

To solve the issue I have two options first I can use the server-side which costs me extra server hardware which I don't want to.为了解决这个问题，我首先有两个选择，我可以使用服务器端，这会花费我不想要的额外服务器硬件。 the second option is using cloud function which costs much higher than upgrading my server hardware.第二种选择是使用云功能，这比升级我的服务器硬件成本高得多。 is there any better option to deal with this issue?有没有更好的选择来处理这个问题？

3 个解决方案

No.不。

If you want to generate data in way that the user cannot interfere with it, then you have to generate it on a computer you control (it doesn't matter if it is traditional hosting or distributed cloud hosting) and not on a computer the user controls.如果您想以用户无法干扰的方式生成数据，那么您必须在您控制的计算机上生成它（无论是传统托管还是分布式云托管都没有关系），而不是在用户的计算机上生成控件。

Indeed, for you to have complete control over the system, it needs to be programmed and developed in a way that it won't provide "power" for the user - such as JavaScript.事实上，为了让您完全控制系统，它需要以一种不会为用户提供“权力”的方式进行编程和开发 - 例如 JavaScript。

Using Cloud Functions would be the best option for you, as you mentioned.正如您所提到的，使用 Cloud Functions 将是您的最佳选择。 I would recommend you to take a look at the Pricing .我建议你看看定价。 There are so very good options, including a Free one.有很多很好的选择，包括免费的。 In case you are just starting a system/application, using the free tier might be the best option for you.如果您刚刚启动系统/应用程序，使用免费套餐可能是您的最佳选择。 :) :)

You might want to have a look at the documentation for Firebase's server-side security rules .您可能需要查看 Firebase服务器端安全规则的文档。 These rules can be used to validate read and write operations that are made directly from the client, and in many cases can cover a large portion of the security needs of direct-from-client access.这些规则可用于验证直接从客户端进行的读取和写入操作，并且在许多情况下可以涵盖直接从客户端访问的大部分安全需求。

In cases where performing certain check in security rules proves impossible or unfeasible, Cloud Functions are a great second tier.如果在安全规则中执行某些检查被证明不可能或不可行，则 Cloud Functions 是一个很好的第二层。