Firebase 使用 Socket.IO 从客户端安全地向服务器发送请求?
[英]Firebase Sending Request to Server from Client Safe Using Socket.IO?
问题描述
I understand that security rules are the safest way to protect data however it doesn't support my method in storing user data when they click on specific elements.
我了解安全规则是保护数据的最安全方法,但它不支持我在用户单击特定元素时存储用户数据的方法。 This is because if I turn write == true they are able to change the database willingly which I don't want them to do;这是因为如果我将 write == true 设为 true,他们就可以自愿更改数据库,而我不希望他们这样做; I just want to record their input from my website privately.我只是想私下记录他们从我的网站上输入的内容。
Hence, my solution was to create another database on the server.因此,我的解决方案是在服务器上创建另一个数据库。 Initialise the firebase realtime database on the server.js file.在 server.js 文件中初始化 firebase 实时数据库。 I thought this would be ideal, as the client doesn't access to any of the credentials (And yes I know, even if the user does have it, it's not that bad anyway but just in case).我认为这将是理想的,因为客户端无法访问任何凭据(是的,我知道,即使用户确实拥有它,它也不是那么糟糕,但以防万一)。
So if I were to use socket.io to request from the client (all they see is "socket.emit('value', 'value')) then wouldn't it be safe as they are not seeing anything related to the firebase database as it is all on the server (which is not shown to the user)?因此,如果我要使用 socket.io 向客户端请求(他们看到的只是“socket.emit('value', 'value'))那么这不是安全的,因为他们没有看到与 firebase 数据库相关的任何内容它都在服务器上(不向用户显示)?
I just want clarification on if this is safe and ideal because it seems to logically work if I were to neglect the security rules.我只想澄清这是否安全和理想,因为如果我忽略安全规则,它似乎在逻辑上有效。
Apologise to the previous users that replied on my previous post, this may be very similar but I have elaborated a little bit more to make what I am doing a bit more clearer.向在我之前的帖子中回复的之前的用户道歉,这可能非常相似,但我已经详细说明了一点,以使我正在做的事情更清楚一点。
Thanks for all your help.感谢你的帮助。
Client Code:客户代码:
var a = 0; socket.emit('value', a);
Server Code:服务器代码:
firebase.initializeApp({ apiKey: VALUE, authDomain: VALUE, databaseURL: VALUE, projectId: VALUE, storageBucket: VALUE, messagingSenderId: VALUE, appId: VALUE, measurementId: VALUE }); socket.on('value', function(data) { var ref = firebase.database().ref('node'); ref.set(data); })
1 个解决方案
解决方案1
1 2020-05-25 01:19:53
The code you shared indeed seems (unlike your first question ) to no longer expose identity of your Firebase project to the caller.您共享的代码确实似乎(与您的第一个问题不同)不再向调用者公开您的 Firebase 项目的身份。 So there is no way for the caller to determine the database URL from what you shared.因此,调用者无法从您共享的内容中确定数据库 URL。
Whether this is secure enough for your needs, only you can determine.这是否足以满足您的需求,只有您可以确定。 But a few things to keep in mind:但有几点要记住:
- If a user can find the database URL through another means, your
".read": true, ".write": truerules still allow them to both read all data, and write whatever they want.如果用户可以通过另一种方式找到数据库 URL,那么您的".read": true, ".write": true规则仍然允许他们读取所有数据并写入任何他们想要的内容。 - Your code allows writing anything the user wants to the database.您的代码允许将用户想要的任何内容写入数据库。 You'll want to lock that down either in your code, or with Firebase's server-side security rules.您需要在代码中或使用 Firebase 的服务器端安全规则将其锁定。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.