[英]Is there a way to protect Firebase Cloud Functions being called from intruders without user authentication?
I'm using Firestore as a database for my website to store my data.我使用 Firestore 作为我的网站的数据库来存储我的数据。 I'd like to use Firebase cloud functions to use the cache, in order to limit my reading requests which are limited to 50000 per day.
我想使用 Firebase 云函数来使用缓存,以限制我每天限制为 50000 的阅读请求。
The fact is, my users don't need to be authenticated to fetch some basic datas, and I'd like to know if you could figure out a way to proceed endpoint calls from only authorized application.事实是,我的用户不需要经过身份验证即可获取一些基本数据,我想知道您是否可以找到一种仅从授权应用程序进行端点调用的方法。
So far I've been thinking of creating my own "secret key" to pass as a parameter in my request and this is the only solution I found on the subject, but I know this isnt a real security as far as you can see the body of the request in the console.到目前为止,我一直在考虑创建自己的“密钥”作为参数传递到我的请求中,这是我在该主题上找到的唯一解决方案,但我知道这不是真正的安全,因为你可以看到控制台中的请求正文。 The only other solutions I found on the web would be to make sure users are authenticated to check their token, but I don't want to force them to get logged in to use my website.
我在 web 上找到的唯一其他解决方案是确保用户经过身份验证以检查他们的令牌,但我不想强迫他们登录才能使用我的网站。
I'm kind of disappointed that there are no clear ways to identify my application as a trusted one through firebase ecosystem... If you have any clue, it would be very helpfull.我有点失望,没有明确的方法可以通过 firebase 生态系统将我的应用程序识别为受信任的应用程序......如果您有任何线索,这将非常有帮助。
It's not possible to fully protect an HTTP function to be called from just your app.仅从您的应用程序调用 HTTP function 是不可能完全保护的。 Here's why:
原因如下:
Cloud Functions doesn't offer any solutions here, because there are no 100% bulletproof solutions that can be deployed with application code that sits on a user's device. Cloud Functions 在这里不提供任何解决方案,因为没有 100% 防弹的解决方案可以使用位于用户设备上的应用程序代码进行部署。 What you're doing now might be "good enough" to prevent casual hacking, but bear in mind that anyone could get a hold of that token for the purpose of spoofing calls, and you'd never know that was happening.
您现在所做的可能“足够好”以防止随意的黑客攻击,但请记住,任何人都可以出于欺骗电话的目的获取该令牌,而您永远不会知道这种情况正在发生。
This is why developers use Firebase Auth or some other auth mechanism, as a way to have an independent source verify the identity of the end user that can't be compromised by malicious client code, or at least not for more than 1 hour after an ID token is leaked.这就是为什么开发人员使用 Firebase 身份验证或其他一些身份验证机制的原因,作为让独立来源验证最终用户身份的一种方式,该身份不会被恶意客户端代码破坏,或者至少不会超过 1 小时后ID 令牌泄露。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.