如何防止恶意用户将数据推送到 Firebase 中的文档中?
[英]How to prevent a malicious user from pushing data into a document in Firebase?
问题描述
I am using a front-end Firebase to create a document not integrated with node at this point, I am trying to solve the issue of preventing a malicious user from posting in the document that I am creating from the front-end, I mean the front-end in my app can create data and push them to the Firestore but what my concern is a user that will intentional push data into the collection or even causing a unnecessary writes to the document what I thought about is making a cloud function that will check if the model of the application is in certain shape (my default shape since you cannot make a model like in mongo) and if someone model will be different the account and the whole document will be deleted and the user will be regarded as malicious.
此时我正在使用前端 Firebase 创建一个未与节点集成的文档,我试图解决防止恶意用户在我从前端创建的文档中发布的问题,我的意思是我的应用程序中的前端可以创建数据并将它们推送到 Firestore,但我担心的是用户会故意将数据推送到集合中,甚至导致对文档进行不必要的写入我想的是制作云 function检查应用程序的 model 是否处于特定形状(我的默认形状,因为你不能像在 mongo 中那样制作 model),如果某人 model 不同,则帐户和整个文档将被删除,用户将被视为恶意用户。 I would also like to know what will happen if the document size is exceeded?我也想知道如果超过文档大小会怎样? will exceeding the size stop the database from adding data to that doc or what is the accepted behavior in this case?超过大小会阻止数据库向该文档添加数据,或者在这种情况下可接受的行为是什么?
const AddGroup = async (//some data) => { try { const docRefCol = doc(db, //some collection, //some document in side colletion); // Add await updateDoc(docRefCol, { //Some melicious data or data that the user decied on pushing by abusing the front end logic }); } catch (error) { errorHandeling(error, 'An error has happened'); } };2 个解决方案
解决方案1
2 已采纳 2022-03-23 09:18:26
You cannot prevent anyone from making update requests to Firestore but if you have security rules setup then that should not be an issue.您无法阻止任何人向 Firestore 发出更新请求,但如果您设置了安全规则,那么这应该不是问题。 If you are referring to your document's structure, then you use hasOnly() to prevent user from creating any new fields in your document.如果您指的是文档的结构,那么您可以使用hasOnly()来防止用户在您的文档中创建任何新字段。
allow write: if request.resource.data.keys().hasOnly(['name', 'age'])
For example, the above rule will only allow name and age field to update in updated document.例如,上面的规则将只允许更新文档中的姓名和年龄字段进行更新。
In cases like a field is an array, then you'll need some other logic like max array size or some sort of rate limiting to prevent spam data being pushed in an array.在字段是数组的情况下,您将需要一些其他逻辑,例如最大数组大小或某种速率限制,以防止垃圾邮件数据被推送到数组中。
what will happen if the document size is exceeded?
It won't update and the SDK will throw an error.它不会更新,SDK 会抛出错误。
解决方案2
0 2022-03-23 09:11:21
Take a look at Firebase auth and implement it.看看 Firebase auth 并实现它。
Link - https://firebase.google.com/products/auth Documentation - https://firebase.google.com/docs/auth链接 - https://firebase.google.com/products/auth文档 - https://firebase.google.com/docs/auth
Or Implement a custom authentication system in your Node backend或者在您的 Node 后端实施自定义身份验证系统
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.