堆栈内存溢出
  简体   繁体   English

如何在 Firebase 身份验证上验证自定义用户信息?

[英]How to validate custom user information on Firebase Authentication?

 原文  2021-02-18 07:21:36       javascript/ firebase/ google-cloud-firestore/ firebase-authentication

问题描述

Context语境

I'm using Firebase phone authentication.我正在使用 Firebase 电话身份验证。 and i have one mobile app for users and one web app for admin.我有一个供用户使用的移动应用程序和一个供管理员使用的 web 应用程序。 both users are stored in one collection.两个用户都存储在一个集合中。

Requirement要求

Now I want to validate that user is a admin when a user try to login in Web Application.现在我想在用户尝试登录 Web 应用程序时验证该用户是管理员。 I keep data with users that "isAdmin" like this...我与这样的“isAdmin”用户保存数据......


users:[
 {
   name:'John Doe', 
   phoneNumber:'+911234567890', 
   isAdmin:true
 } ]

Now I want to validate every web authentication that user is an admin.现在我想验证用户是管理员的每个 web 身份验证。 otherwise i want deny the authentication,否则我想拒绝身份验证,

Language: Javascript语言:Javascript

1 个解决方案

解决方案1
 3  2021-02-18 11:34:49

Since the user's role is stored in a user document in a Firestore collection (named users if I correctly understand), when the user is signed-in (and therefore you have the user's uid and phone number) you should query the users Firestore collection to get his/her role ( isAdmin true or false).由于用户的角色存储在 Firestore 集合中的用户文档中(如果我理解正确,则命名为users ),当用户登录时(因此您有用户的 uid 和电话号码)您应该查询users Firestore 集合以获得他/她的角色( isAdmin true 或 false)。

Then based on the role, you can either display the content of the Admin app or show an error and sign-out the user (you cannot "deny the authentication" but you can sign-out the user after he/she signs-in).然后根据角色,您可以显示管理应用程序的内容或显示错误并注销用户(您不能“拒绝身份验证”但您可以在他/她登录后注销用户) .

HOWEVER, the most important is to secure your database (and other Firebase backend services, if you use them) with some Security Rules based on the role.然而,最重要的是使用一些基于角色的安全规则来保护您的数据库(以及其他 Firebase 后端服务,如果您使用它们)。 If your backend is secured, a non-authorized user who succeeds in opening or reverse-engineering your Admin frontend app can maybe see the GUI elements but cannot read and modify the corresponding data.如果您的后端是安全的,则成功打开或逆向工程您的管理前端应用程序的非授权用户可能会看到 GUI 元素,但无法读取和修改相应的数据。

Since you store the role in a Firestore document, you need to use, in your Security Rules, the get() function, in order to get the contents of the user document.由于您将角色存储在 Firestore 文档中,因此您需要在安全规则中使用get() function,以获取用户文档的内容。 See the example in the doc .请参阅文档中的示例。

Having said that, another classical approach to set up a role-based access-right strategy is to use Custom Claims , as explained by @Ashish in his answer.话虽如此,另一种设置基于角色的访问权限策略的经典方法是使用Custom Claims ,正如@Ashish 在他的回答中所解释的那样。

One main advantage of using a Custom Claim is that the role (the claim) is contained by the ID token and therefore no additional lookup to a Firestore doc is needed to check for admin permissions.使用自定义声明的一个主要优点是角色(声明)包含在 ID 令牌中,因此不需要额外查找 Firestore 文档来检查管理员权限。

You should note that you can only set Custom Claims from a privileged server environment by using the Firebase Admin SDK. This means via a server you own or via a Cloud Function (see this article , for example).您应该注意,您只能使用 Firebase Admin SDK 从特权服务器环境设置自定义声明。这意味着通过您拥有的服务器或通过云 Function(例如,请参阅本文)。 You could also use the new dedicated "experimental" extension .您还可以使用新的专用“实验性”扩展

Setting the roles through a Firebase doc, as you do, is easier (just a document write or update), but you need to correctly secure the collection, in order to avoid a malicious user can modify a user doc.通过 Firebase 文档设置角色,就像您一样,更容易(只需编写或更新文档),但您需要正确保护集合,以避免恶意用户可以修改用户文档。

Another advantage of Custom Claims is that they can be used in the Security Rules of all the services (Firestore, Cloud Storage, RTDB).自定义声明的另一个优势是它们可以用于所有服务(Firestore、Cloud Storage、RTDB)的安全规则 With role declaration via a Firestore doc, you should note that you cannot get this role in a Cloud Storage or RTDB Security Rule (you cannot read Firestore from Security Rules of the other services).通过 Firestore 文档进行角色声明时,您应该注意,您无法在 Cloud Storage 或 RTDB 安全规则中获得此角色(您无法从其他服务的安全规则中读取 Firestore)。

解决方案2
 0  2021-02-18 09:25:00

Context语境

I'm using Firebase phone authentication.我正在使用 Firebase 电话身份验证。 and i have one mobile app for users and one web app for admin.我有一个供用户使用的移动应用程序和一个供管理员使用的 web 应用程序。 both users are stored in one collection.两个用户都存储在一个集合中。

Requirement要求

Now I want to validate that user is a admin when a user try to login in Web Application.现在我想在用户尝试登录 Web 应用程序时验证该用户是管理员。 I keep data with users that "isAdmin" like this...我与“isAdmin”这样的用户保存数据......


users:[
 {
   name:'John Doe', 
   phoneNumber:'+911234567890', 
   isAdmin:true
 } ]

Now I want to validate every web authentication that user is an admin.现在我想验证用户是管理员的每个 web 身份验证。 otherwise i want deny the authentication,否则我想拒绝身份验证,

Language: Javascript语言:Javascript

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Firebase 认证自定义认证 - Firebase Authentication Custom Authentication Firebase认证中如何查看用户是否已经注册 - How to check if a user is already registered in Firebase Authentication 如何在没有 firebase 身份验证的情况下获取用户 ID? - how to get the user ID without firebase authentication? 如何实现 Firebase 自定义认证后端? - How to implement Firebase custom authentication backend? 如何在 react(+reactfire) 中使用 firebase 持久化用户身份验证 - How to persist the user authentication with firebase in react(+reactfire) 使用自定义令牌的 Firebase 身份验证 - Firebase authentication with custom token 使用 Java(IllegalArgumentException)验证 Firebase 用户 - Validate Firebase User with Java (IllegalArgumentException) Reactjs 用户认证 firebase - Reactjs user Authentication with firebase 如何在Firebase中注册email包含大写字母的用户认证 - How to register a user whose email contains a capital letter in Firebase Authentication Firebase Authentication ( Email & Password ) 如何查看现有用户 - Firebase Authentication ( Email & Password ) how to check existing user
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM