[英]How do we secure a Firebase Firestore without using Firestore Authentication? Or is it a must?
At this moment we have 1 Firebase Function running that connects to a Firestore database instance.此时我们有 1 Firebase Function 正在运行,它连接到一个 Firestore 数据库实例。 It correctly connects to the Firestore database using the rules below, however this is insecure .
它使用以下规则正确连接到 Firestore 数据库,但是这是不安全的。
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if true;
}
}
}
It is however unknown to me how we should secure this if we don't have Users in our application.然而,如果我们的应用程序中没有用户,我不知道我们应该如何保护它。 It is not multitenant.
它不是多租户的。 We just do HTTP calls to the function and it saves something in the database.
我们只需对 function 执行 HTTP 调用,它就会在数据库中保存一些内容。
To build user-based and role-based access systems that keep your users' data safe, use Firebase Authentication with Firebase Security Rules.
要构建基于用户和基于角色的访问系统以确保用户数据安全,请使用 Firebase 身份验证和 Firebase 安全规则。
We do not have user data.我们没有用户数据。
Note: The server client libraries bypass all Cloud Firestore Security Rules and instead authenticate through Google Application Default Credentials.
注意:服务器客户端库绕过所有 Cloud Firestore 安全规则,而是通过 Google 应用程序默认凭据进行身份验证。
If we change our write rule to write: if request.auth() != null our application fails to save.如果我们将写入规则更改为写入:if request.auth() != null我们的应用程序将无法保存。
However, we can call getAuth() and then signInAnonymously() .但是,我们可以先调用getAuth() ,然后再调用 signInAnonymously () 。 But how does that make it more secure?
但这如何使它更安全呢? And how long will the function remain authenticated?
function 将保持多长时间的身份验证?
We have read the documentation at https://firebase.google.com/docs/rules/rules-and-auth andhttps://firebase.google.com/docs/firestore/security/get-started .我们已阅读https://firebase.google.com/docs/rules/rules-and-auth和https://firebase.google.com/docs/firestore/security/get-started的文档。 But as we don't have users in our application, it seems unclear to us how to secure Firestore using firestore.rules.
但是由于我们的应用程序中没有用户,我们似乎不清楚如何使用 firestore.rules 保护 Firestore。
Concrete: How do we secure a Firebase Firestore without using Firestore Authentication?具体:我们如何在不使用 Firestore 身份验证的情况下保护 Firebase Firestore? Or is it a must?
还是必须的?
When not using Firebase Authentication, you cannot get details of user who is making the request.当不使用 Firebase 身份验证时,您无法获取发出请求的用户的详细信息。
request.auth
will be null
in this case and hence request.auth() != null
fails.在这种情况下,
request.auth
将是null
,因此request.auth() != null
失败。
When you use signInAnonymously()
the user is signed in with Firebase Auth and request.auth
contains details of that user.当您使用
signInAnonymously()
时,用户使用 Firebase Auth 登录,并且request.auth
包含该用户的详细信息。 However, once the user logs out of an anonymous account by any mean, there is no way to log back in with that account and user won't be able to access their data again.但是,一旦用户以任何方式退出匿名帐户,就无法使用该帐户重新登录,用户将无法再次访问他们的数据。
If you use your own authentication method, using Cloud functions to retrieve data would be best so you can authenticate user using your auth system and then serve data if authorized.如果您使用自己的身份验证方法,最好使用云功能来检索数据,这样您就可以使用您的身份验证系统对用户进行身份验证,然后在获得授权后提供数据。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.