据我所知,浏览器没有可用信息查找客户端的IP地址,而无需另外调用其他资源。
有没有办法存储客户端的IP地址?我的意思与firebase.timestamp占位符的工作方式类似。
答案 0 :(得分:5)
虽然我听说客户现在有办法确定并报告他们的IP地址,依靠客户端代码报告他们的IP地址也开启了任何人运行自定义客户端代码报告错误的能力IP地址。
跟踪客户端IP地址的唯一安全方法是让您拥有服务器,或者Firebase具有特殊功能,当客户端调用时,会导致firebase服务器获取客户端的IP地址并保存对你而言。
我的建议是运行一个可以接受POST请求的简单服务器。服务器只需要能够验证请求来自哪个用户,并且能够准确地获取客户端的IP地址并将其保存在firebase上。
答案 1 :(得分:0)
https://firebase.google.com/docs/auth/admin/manage-sessions
在“ 高级安全性:实施IP地址限制”部分
您会找到对 remoteIpAddress 的引用 在这段代码中(箭头指向的行):
app.post('/getRestrictedData', (req, res) => {
// Get the ID token passed.
const idToken = req.body.idToken;
// Verify the ID token, check if revoked and decode its payload.
admin.auth().verifyIdToken(idToken, true).then((claims) => {
// Get the user's previous IP addresses, previously saved.
return getPreviousUserIpAddresses(claims.sub);
}).then(previousIpAddresses => {
// Get the request IP address.
const requestIpAddress = req.connection.remoteAddress; <=============================
// Check if the request IP address origin is suspicious relative to previous
// IP addresses. The current request timestamp and the auth_time of the ID
// token can provide additional signals of abuse especially if the IP address
// suddenly changed. If there was a sudden location change in a
// short period of time, then it will give stronger signals of possible abuse.
if (!isValidIpAddress(previousIpAddresses, requestIpAddress)) {
// Invalid IP address, take action quickly and revoke all user's refresh tokens.
revokeUserTokens(claims.uid).then(() => {
res.status(401).send({error: 'Unauthorized access. Please login again!'});
}, error => {
res.status(401).send({error: 'Unauthorized access. Please login again!'});
});
} else {
// Access is valid. Try to return data.
getData(claims).then(data => {
res.end(JSON.stringify(data);
}, error => {
res.status(500).send({ error: 'Server error!' })
});
}
});
});