我正在开发一款从Firebase database读取的Android应用。 App用户不会登录或修改数据库。所有应用用户都将查看相同的数据;我正在使用Firebase进行实时更新。
理想情况下,我想限制对数据库的访问,以便只有我的应用才能读取数据。
我知道我可以做的一些事情:
1。编写允许任何人阅读的安全规则,即
{
"rules": {
".read": true,
".write": false
}
}
骗局:任何人都可以阅读:(
2。编写allow authenticated users to read的安全规则,然后将用户名和密码硬编码到应用程序中
{
"rules": {
"$user_id":{
".read": "auth.uid === $user_id",
".write": false
}
}
}
Con:在应用程序中对用户名和密码进行硬编码似乎非常错误。此外,它实际上并没有锁定数据库,因为任何人都可以反编译应用程序,获取google-services.json和硬编码的用户名/密码,并编写自己的应用程序共享我的包名称。
谷歌搜索已经显示this,这是特定于写作,this,表示“不”,但是已有几年了。
限制访问数据库的正确方法是什么?我是从错误的方向接近这个吗?
答案 0 :(得分:3)
第3。使用CREATE VIEW upg_roles_privs AS
/* Databases */
select type, objname, r1.rolname grantor, r2.rolname grantee, privilege_type
from
(select
'database'::text as type, datname as objname, datistemplate, datallowconn,
(aclexplode(datacl)).grantor as grantorI,
(aclexplode(datacl)).grantee as granteeI,
(aclexplode(datacl)).privilege_type,
(aclexplode(datacl)).is_grantable
from pg_database) as db
join pg_roles r1 on db.grantorI = r1.oid
join pg_roles r2 on db.granteeI = r2.oid
where r2.rolname not in ('postgres')
union all
/* Schemas / Namespaces */
select type, objname, r1.rolname grantor, r2.rolname grantee, privilege_type from
(select
'schema'::text as type, nspname as objname,
(aclexplode(nspacl)).grantor as grantorI,
(aclexplode(nspacl)).grantee as granteeI,
(aclexplode(nspacl)).privilege_type,
(aclexplode(nspacl)).is_grantable
from pg_catalog.pg_namespace) as ns
join pg_roles r1 on ns.grantorI = r1.oid
join pg_roles r2 on ns.granteeI = r2.oid
where r2.rolname not in ('postgres')
union all
/* Tabelas */
select 'tables'::text as type, table_name||' ('||table_schema||')' as objname, grantor, grantee, privilege_type
from information_schema.role_table_grants
where grantee not in ('postgres')
and table_schema not in ('information_schema', 'pg_catalog')
and grantor <> grantee
union all
/* Colunas (TODO: se o revoke on table from x retirar acesso das colunas, nao precisa desse bloco) */
select
'columns'::text as type, column_name||' ('||table_name||')' as objname,
grantor, grantee, privilege_type
from information_schema.role_column_grants
where
table_schema not in ('information_schema', 'pg_catalog')
and grantor <> grantee
union all
/* Funcoes / Procedures */
select 'routine'::text as type, routine_name as objname, grantor, grantee, privilege_type
from information_schema.role_routine_grants
where grantor <> grantee
and routine_schema not in ('information_schema', 'pg_catalog')
--union all information_schema.role_udt_grants
union all
/* Outros objetos */
select 'object'::text as type, object_name||'( '||object_type||')' as objname, grantor, grantee, privilege_type
from information_schema.role_usage_grants
where object_type <> 'COLLATION' and object_type <> 'DOMAIN'
和FirebaseAuth方法
参考:https://firebase.google.com/docs/auth/android/anonymous-auth
然后调整安全规则:
signInAnonymously()Con:多个帐户仅用于读取相同的数据
答案 1 :(得分:0)
将应用程序添加到Firebase项目时,必须指定应用程序的SHA1证书,因此除了您之外,没有人能够访问您的数据。