如何在 Web 应用程序的 FireStore 中传递 Auth 令牌
[英]How to pass Auth token in FireStore in Web app
问题描述
I have developed a single crud project(Login screen and crud operation screen HTML) and hosted on firebase hosting.
我开发了一个单独的 crud 项目(登录屏幕和 crud 操作屏幕 HTML)并托管在 firebase 主机上。 where User signing with email and password, I am using firebase signing with email and password and its working as expected.其中用户使用 email 和密码签名,我使用 firebase 使用 email 和密码签名,并且按预期工作。
But now issue is I want to secure backend with auth but its not passing auth in setDoc() deleteDoc() etc, My requirement is without auth.但现在的问题是我想用 auth 保护后端,但它没有在 setDoc() deleteDoc() 等中传递 auth,我的要求是没有 auth。 no one should do any operation on database.任何人都不应该对数据库进行任何操作。
import { doc, setDoc } from "firebase/firestore";
await setDoc(doc(db, "cities", "LA"), {
name: "Los Angeles",
state: "CA",
country: "USA"
});
below rules are working but its not secured for production env.以下规则有效,但它不适用于生产环境。 : :
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if true
}
}
}
If set rules like below it give me insufficient permission error.如果像下面这样设置规则,它会给我足够的权限错误。 I don't know how to pass UID in setDoc() or any operation.我不知道如何在 setDoc() 或任何操作中传递 UID。
allow read, write: if request.auth != null
Update: If i put below code before setDoc() below code is not executing because currentUser has user data.更新:如果我将下面的代码放在 setDoc() 之前,下面的代码不会执行,因为 currentUser 有用户数据。
function addCity(){
if (!firebase.auth().currentUser) {
// this code not executing because user is signed
alert("Login required");
window.href = "login.html";
return;
}
// i can print UID and it is showing means user is logged.
await setDoc(doc(db, "cities", "LA"), {
name: "Los Angeles",
state: "CA",
country: "USA"
});
}
2 个解决方案
解决方案1
0 2023-01-03 11:20:50
This is in detail covered in the Firebase documentation on Security & Rules , which I would recommend you to check out.You can secure your data with Security Rules,Firebase Security Rules are evaluated and based on that the rules language it is validated whether the current user can access your data.这在 关于安全和规则的 Firebase 文档中有详细介绍,我建议您查看。您可以使用安全规则保护您的数据,Firebase 安全规则被评估并基于它验证规则语言是否当前用户可以访问您的数据。
Security Rules give you access to a set of server variables to check your rules against.安全规则使您可以访问一组服务器变量来检查您的规则。 The most commonly used one is the auth variable which lets you check against the currently authenticated user.最常用的一个是 auth 变量,它可以让您检查当前经过身份验证的用户。 You can also create wildcard variables with the $, which acts as a route parameter creating.您还可以使用 $ 创建通配符变量,用作创建路由参数。
{ "rules": { "users": { // users can read and write their own data, but no one else. "$uid": { ".read": "auth.uid == $uid", ".write": "auth.uid == $uid" } } } }
You can also check the feature called Firebase App Check , it will let you limit access to your Realtime Database to only those coming from iOS, Android and Web apps that are registered in your Firebase project.您还可以查看名为Firebase App Check的功能,它将允许您将对实时数据库的访问限制为仅来自 iOS、Android 和 Web 应用程序的访问,这些应用程序已在您的 Firebase 项目中注册。 You can combine this with the user authentication based security described above, so that you have another shield.您可以将其与上面描述的基于用户身份验证的安全性结合起来,这样您就有了另一个屏障。 Also check these similar examples below:还要检查下面这些类似的例子:
解决方案2
0 已采纳 2023-01-30 12:26:37
Finally, I found solution.最后,我找到了解决方案。 I was using different version library of firebase. like I was using web v8 library for login and modular lib for database access.我使用的是 firebase 的不同版本库。就像我使用 web v8 库进行登录和模块化库进行数据库访问一样。 I just moved all firebase SDK to same version and modular.我刚刚将所有 firebase SDK 移动到相同的版本和模块化。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.