有没有办法保护 Firebase 云函数在未经用户身份验证的情况下被入侵者调用?
[英]Is there a way to protect Firebase Cloud Functions being called from intruders without user authentication?
问题描述
I'm using Firestore as a database for my website to store my data.
我使用 Firestore 作为我的网站的数据库来存储我的数据。 I'd like to use Firebase cloud functions to use the cache, in order to limit my reading requests which are limited to 50000 per day.我想使用 Firebase 云函数来使用缓存,以限制我每天限制为 50000 的阅读请求。
The fact is, my users don't need to be authenticated to fetch some basic datas, and I'd like to know if you could figure out a way to proceed endpoint calls from only authorized application.事实是,我的用户不需要经过身份验证即可获取一些基本数据,我想知道您是否可以找到一种仅从授权应用程序进行端点调用的方法。
So far I've been thinking of creating my own "secret key" to pass as a parameter in my request and this is the only solution I found on the subject, but I know this isnt a real security as far as you can see the body of the request in the console.到目前为止,我一直在考虑创建自己的“密钥”作为参数传递到我的请求中,这是我在该主题上找到的唯一解决方案,但我知道这不是真正的安全,因为你可以看到控制台中的请求正文。 The only other solutions I found on the web would be to make sure users are authenticated to check their token, but I don't want to force them to get logged in to use my website.我在 web 上找到的唯一其他解决方案是确保用户经过身份验证以检查他们的令牌,但我不想强迫他们登录才能使用我的网站。
I'm kind of disappointed that there are no clear ways to identify my application as a trusted one through firebase ecosystem... If you have any clue, it would be very helpfull.我有点失望,没有明确的方法可以通过 firebase 生态系统将我的应用程序识别为受信任的应用程序......如果您有任何线索,这将非常有帮助。
1 个解决方案
解决方案1
0 2020-04-06 23:11:35
It's not possible to fully protect an HTTP function to be called from just your app.仅从您的应用程序调用 HTTP function 是不可能完全保护的。 Here's why:原因如下:
- Client devices should be considered compromised and under full control of a malicious user.客户端设备应被视为受到威胁并处于恶意用户的完全控制之下。 As such, you can't trust any code on them, even if it came with your own app.因此,您不能信任它们上的任何代码,即使它是您自己的应用程序附带的。
- If you can't trust the code, then can't trust any information held in memory by that code.如果您不能信任该代码,那么就不能信任该代码在 memory 中保存的任何信息。
- If you can't trust what's in memory, then you can't trust anything passed to your backend.如果您无法信任 memory 中的内容,那么您将无法信任传递给后端的任何内容。 This means you really have no way of protecting it from malicious use at all.这意味着您根本无法保护它免受恶意使用。
Cloud Functions doesn't offer any solutions here, because there are no 100% bulletproof solutions that can be deployed with application code that sits on a user's device. Cloud Functions 在这里不提供任何解决方案,因为没有 100% 防弹的解决方案可以使用位于用户设备上的应用程序代码进行部署。 What you're doing now might be "good enough" to prevent casual hacking, but bear in mind that anyone could get a hold of that token for the purpose of spoofing calls, and you'd never know that was happening.您现在所做的可能“足够好”以防止随意的黑客攻击,但请记住,任何人都可以出于欺骗电话的目的获取该令牌,而您永远不会知道这种情况正在发生。
This is why developers use Firebase Auth or some other auth mechanism, as a way to have an independent source verify the identity of the end user that can't be compromised by malicious client code, or at least not for more than 1 hour after an ID token is leaked.这就是为什么开发人员使用 Firebase 身份验证或其他一些身份验证机制的原因,作为让独立来源验证最终用户身份的一种方式,该身份不会被恶意客户端代码破坏,或者至少不会超过 1 小时后ID 令牌泄露。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.