简体繁体 English

为什么firebase-admin不能在浏览器中运行？

[英]Why can firebase-admin not be run in the browser?

原文 2021-12-04 16:01:34 1 1 firebase/ security/ browser/ firebase-admin

Several questions have asked to run the firebase-admin package in the browser, such as有几个问题要求在浏览器中运行 firebase-admin package，例如

Can I break the rules and use firebase-admin on the client side? 我可以打破规则并在客户端使用 firebase-admin 吗？ Or will trying to workaround errors be for nothing? 还是试图解决错误是徒劳的？
How to properly use Firebase Admin SDK using Node.js for a web-app? 如何正确使用 Firebase Admin SDK 使用 Node.js 的网络应用程序？
Error importing firebase-admin 导入 firebase-admin 时出错
https://groups.google.com/g/firebase-talk/c/Jfq054TLEFQ?pli=1 https://groups.google.com/g/firebase-talk/c/Jfq054TLEFQ?pli=1

However, both the questions and the answers given do not properly distinguish between the "browser vs. server/backend" distinction and the "end-user vs. privileged" distinction.但是，给出的问题和答案都没有正确区分“浏览器与服务器/后端”的区别和“最终用户与特权”的区别。 A common theme seems to be warning against opening up firebase-admin for end-users, which is obviously a security risk, but they do not explain why a privileged user cannot access privileged Firebase functionality from code running in the browser, only from a backend / server.一个常见的主题似乎是警告不要为最终用户打开 firebase-admin，这显然是一个安全风险，但他们没有解释为什么特权用户无法从浏览器中运行的代码访问特权 Firebase 功能，只能从后端/ 服务器。

So, assuming that a user has sufficient privileges (say, firebase project owner) and is willing to perform whatever authentication needed to transfer these privileges to code running in the browser -- what reasons are there for not doing this?因此，假设用户有足够的权限（例如，firebase 项目所有者）并且愿意执行将这些权限转移到在浏览器中运行的代码所需的任何身份验证——有什么理由不这样做呢？ Will it not work?它不会工作吗？ Are there security risks?是否存在安全风险？ Is it simply discouraged because a significant fraction of developers will make mistakes WRT the exact requirements for making this work securely?是否只是因为很大一部分开发人员会犯错误而气馁？

1 个解决方案

I think you have a misunderstanding about what a "privileged user" is, as you say.正如您所说，我认为您对“特权用户”是什么有误解。

firebase-admin is initialized with a service account . firebase-admin 使用服务帐户初始化。 This is not the same as an Firebase Auth user account.这与 Firebase Auth 用户帐户不同。 Service accounts are entities belonging to a cloud project that are granted privileged access to some resources in that project.服务帐户是属于云项目的实体，被授予对该项目中某些资源的特权访问权限。 This is how fireabse-admin operates - you init with a service account and gain that privileged access.这就是 fireabse-admin 的运作方式——您使用服务帐户进行初始化并获得该特权访问权限。 firebase-admin does not init with a user account. firebase-admin 不使用用户帐户进行初始化。

You never want to expose a service account credentials to a web browser.您永远不想向 web 浏览器公开服务帐户凭据。 That's a huge security risk.这是一个巨大的安全风险。 Since firebase-admin requires a service account, you will never want to use firebase-admin in the browser where it will be seen as public information.由于 firebase-admin 需要服务帐户，因此您永远不想在浏览器中使用 firebase-admin，因为它会被视为公共信息。

The whole point of the documentation on the matter is to get you to write code to send Firebase Auth user tokens to your backend, where you can safely validate them and decide if that end user should be able to perform privileged operations using firebase-admin.关于此事的文档的全部要点是让您编写代码以将 Firebase Auth 用户令牌发送到您的后端，您可以在后端安全地验证它们并决定该最终用户是否应该能够使用 firebase-admin 执行特权操作。 There is really no safe workaround to this scheme - this is the pattern you should follow.这个方案确实没有安全的解决方法——这是你应该遵循的模式。