堆栈内存溢出
  简体   繁体   English

验证从后端发出的 firebase 实时数据库请求(无用户)

[英]Authenticate firebase real time database requests made from backend (without a user)

 原文  2023-01-04 17:05:05       node.js/ firebase/ firebase-realtime-database

问题描述

  • I am managing a project with a lot of firebase real time database and a lot of data我正在管理一个包含大量 firebase 实时数据库和大量数据的项目
  • I also need very precise security feature like masking certains fields for certain user roles or masking data that contains field related to the user...etc我还需要非常精确的安全功能,例如为某些用户角色屏蔽某些字段或屏蔽包含与用户相关的字段的数据......等

I know that I can handle that using firebase security rules but at that scale, it's not readable nor maintenable at all.我知道我可以使用 firebase 安全规则来处理这个问题,但在这种规模下,它根本不可读也不可维护。

So I want to handle all those security features serverside and proxy all request to firebase, so I wonder what is the best way to authenticate requests made by my backend to firebase knowing that ideally, I will not grant any user any rights on any databases.所以我想在服务器端处理所有这些安全功能并将所有请求代理到 firebase,所以我想知道什么是验证我的后端向 firebase 发出的请求的最佳方法,因为我知道理想情况下,我不会授予任何用户对任何数据库的任何权限。

Actually, I have tried to use a single "admin" user and make a simple security rule on all my firebase models like "read|write": "auth.uid === MY_ADMIN_UID" but I wonder if there is a better solution.实际上,我曾尝试使用单个“管理员”用户并在我的所有 firebase 模型上制定简单的安全规则,例如"read|write": "auth.uid === MY_ADMIN_UID" ,但我想知道是否有更好的解决方案。

Could you point me to the right direction please?你能指出我正确的方向吗?

1 个解决方案

解决方案1
 2 已采纳  2023-01-04 17:24:58

I want to handle all those security features serverside and proxy all request to firebase, so I wonder what is the best way to authenticate requests made by my backend to firebase knowing that ideally, I will not grant any user any rights on any databases.我想在服务器端处理所有这些安全功能并将所有请求代理到firebase ,所以我想知道验证后端向 firebase 发出的请求的最佳方法是什么,我知道理想情况下,我不会授予任何用户对任何数据库的任何权限。

Classically, in the Firebase model, if you want to interact with a Firebase service (eg the Realtime Database) from a server you will use the Admin SDK .传统上,在 Firebase model 中,如果您想从服务器与 Firebase 服务(例如实时数据库)交互,您将使用Admin SDK By default the Admin SDK bypass all Security Rules and has full access to your data.默认情况下,管理员 SDK 绕过所有安全规则并拥有对您数据的完全访问权限。

In other words, requests from the Firebase Admin SDK are not gated by Security Rules.换句话说,来自 Firebase 管理员 SDK 的请求不受安全规则限制。 So it means that you can protect your RTDB with Security Rules that denies any access (ie ".read": false, ".write": false ) in such a way a malicious user knowing the RTDB URL cannot query it.因此,这意味着您可以使用拒绝任何访问的安全规则(即".read": false, ".write": false )来保护您的 RTDB,这样知道 RTDB URL 的恶意用户就无法查询它。

This also means that you are in charge of controlling who is calling your proxy server before querying the RTDB from it.这也意味着您负责控制谁在从代理服务器查询 RTDB 之前调用您的代理服务器。

HOWEVER, with the Realtime Database you can Authenticate with the Admin SDK with limited privileges , which IMO perfectly corresponds to your requirement, ie "best way to authenticate requests made by my backend".但是,使用实时数据库,您可以使用有限权限向管理员 SDK 进行身份验证,IMO 完全符合您的要求,即“验证我的后端发出的请求的最佳方式”。

As explained in the doc (see link above), you "use a unique identifier in your Security Rules to represent your service".如文档中所述(参见上面的链接),您“在安全规则中使用唯一标识符来表示您的服务”。

You then "set up appropriate Security Rules which grant your service access to the resources it needs" by using a specific identifier.然后,您通过使用特定标识符“设置适当的安全规则,授予您的服务访问所需资源的权限”。 For example:例如:

{
  "rules": {
    "public_resource": {
      ".read": true,
      ".write": true
    },
    "private_resource": {
      ".read": "auth.uid === 'my-service-worker'",  // <======
      ".write": false
    },
  }
}

And then, "on your server, when you initialize the Firebase app, you use the databaseAuthVariableOverride option to override the auth object used by your database rules. In this custom auth object, set the uid field to the identifier you used to represent your service in your Security Rules".然后,“在你的服务器上,当你初始化 Firebase 应用程序时,你使用databaseAuthVariableOverride选项来覆盖你的数据库规则使用的auth object。在这个自定义auth object 中,将uid字段设置为你用来表示你的服务的标识符在您的安全规则中”。 See the examples for Java, Node.js, Python and Go in the doc.请参阅文档中 Java、Node.js、Python 和 Go 的示例。

Note that this still means that you are in charge of controlling who is calling your proxy server before querying the RTDB from it, but the Security Rules are less generic.请注意,这仍然意味着您负责控制谁在从代理服务器查询 RTDB 之前调用您的代理服务器,但安全规则不太通用。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 显示来自firebase实时数据库的用户资料信息 - Display user profile information from firebase real-time database 从 firebase 实时数据库中获取数据 - fetching data from firebase real time database 从实时数据库读取不工作 Firebase - Read from real time database not working Firebase Firebase 实时数据库读写无需鉴权? - Firebase real time database read and write without authentication? Firebase Web 从实时数据库读取 - Firebase Web Read from Real-Time Database 我可以从 firebase 实时数据库中获取报告吗? - Can I get reports from firebase real time database? Firebase 实时数据库 在这种情况下并发请求会发生什么情况? - Firebase Real-Time Database what would happen to concurrent requests in this case? Firebase 实时数据库取数据失败 - Failing to Retrieve Data from Firebase Real Time Database 如何从firebase实时数据库中获取int型数据 - How to get int type data from firebase real time database 如何提高 Firebase 实时数据库的性能 - How to improve performance in Firebase real time database
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM