stackoom
  简体   繁体   中英

Secure flutter application with firebase anonymous user

 原文  2020-07-24 15:36:08       firebase/ flutter/ firebase-authentication

Question

I have an application that connects to firebase cloud storage to store images and firestore to store data. I have added some security rules that require the user to be authenticated to be able to modify the data. My application doesn't allow users to connect with firebase, I use another service so I made an automatic anonymous firebase authentication at the launch of the app so that users can use the application. I thought that the computer's SHA-1 key entered in the firebase(android) console would prevent the android application from being compiled on another machine and thus guarantee that anonymous users are on my application. However I can build and run the application on another computer without any problem, as if anonymous allowed that? How do I secure my application? Thanks

2 answers

solution1
 1 ACCPTED  2020-07-24 15:43:54

The configuration data used by Firebase to find your project on the servers is not a secret (see here ) and can be taken from your app by anyone and then used to also make API calls against your project. There is currently now way to ensure calls to the API can only come from your app (see here ).

What you instead should do is create security rules that ensure all access is authorized, no matter where the API is called from. Doing this through Firebase's server-side security rules ensures that no one can bypass these rules, not even a malicious user.

Say that you give each user their own folder in Firebase Storage. You can then use security rules to ensure each user can only read and write files in their own folder . And with those security rules in place, it doesn't matter anymore whether they use your app to access the files, or whether they call the API with your project keys and their own code:, since the access is controlled by the server-side security rules.

solution2
 1  2020-07-24 15:44:24

I thought that the computer's RSA key entered in the firebase(android) console would prevent the android application from being compiled on another machine and thus guarantee that anonymous users are on my application.

That's not really the way it works. You can't restrict Firebase Auth from working on different devices or computers. The underlying REST APIs are public and can be called from anywhere on the internet. The SHA-1 key that you enter in the console is intended to identify your app, not a piece of hardware.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to use the same firebase anonymous user in a flutter app Coverting user from anonymous firebase, but won't refresh screen flutter Flutter Firebase authentication: reverting back to a specific anonymous user Firebase Anonymous user Anonymous user in Firebase User not able to sign out in firebase Flutter application Will currentUser() return an anonymous user Firebase? Anonymous User Identity in Firebase and Android Does using Firebase Anonymous authentication allow me to secure my Firestore data and Cloud functions to only be accessed by my application? Firebase Anonymous User Authentication flow
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM