我正在构建一个简单的示例应用程序,它基本上只允许网站的所有用户互相聊天,比如聊天室。 Firebase允许我匿名验证用户,这是我想要的,因为我只希望我应用程序上的用户使用它。以下代码根据Firebase文档提供身份验证:
var ref = new Firebase("https://<your-firebase>.firebaseio.com");
ref.authAnonymously(function(error, authData) {
if (error) {
console.log("Login Failed!", error);
} else {
console.log("Authenticated successfully with payload:", authData);
}
});
那很酷。有用。大。但这是我的问题。
有什么可以阻止某人简单地从我的来源复制我的javascript代码并在我的Firebase上运行他们自己的应用程序?由于身份验证方法位于我的应用程序的客户端,因此可以简单地复制粘贴并开始读取和写入我的Firebase并修改所有内容。
我的仪表板中设置了我的规则
{
"rules": {
".read": "auth !== null",
".write": "auth !== null"
}
}
我真的很遗憾这是多么安全。我不能使用秘密令牌,因为它都是客户端。我错过了什么?
答案 0 :(得分:0)
只需创建用于检查用户是否具有某个属性的安全规则。您可以在仪表板中为您自己的用户表示设置此属性(让我们将其称为&#34; isAdmin&#34;),然后如果属性存在且为真,则所有规则都返回true。
快速举例:
{
"rules": {
// Allow everyone to read. This rule cannot be refined in deeper levels.
// Once permission is granted at a certain level, it cannot be revoked
// in a deeper level. However, the other way around works, as we see
// next.
".read": true,
// Always allow writes by users who have the isAdmin attribute. If this
// evaluates to false, you can still have subrules in deeper levels that
// may grant permission.
".write": "root.child('users/' + auth.uid + '/isAdmin').val() === true",
"users": {
"$uid": {
// Users can write to their own entries, only. Except for the admin,
// as his root rule already evaluated to true. The cascade is also
// the reason why we need to check that the incoming isAdmin attribute is
// actually false. We don't want to give the user a blank cheque just
// because he is himself ...
".write": "$uid === auth.uid && newData.child('isAdmin').val() === false",
"isAdmin": {
// No one can write this attribute, except users who already have
// the attribute (see above). The cascade makes sure of that.
".write": false
}
}
}
}
}
免责声明:我没有对此进行过广泛的测试。
有关详细信息,请参阅https://www.firebase.com/docs/security/guide/securing-data.html#section-other-paths