本文介绍了将 Firebase 读/写访问权限限制为只有我自己的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我有一个运行的静态网站:

config =apiKey:隐藏"authDomain:隐藏"数据库网址:隐藏"存储桶:"firebase.initializeApp(config)

在浏览器中(它被编译为 javacript)以向 Firebase 的服务器进行身份验证.

我在这里糊涂了吗?这是从浏览器向 Firebase 进行身份验证的有效方法吗?我从他们的网络"教程中获得了代码,所以我认为它是.

现在,我需要配置我的 Firebase 数据库规则,以便我和只有我可以读取 &写吧.

我怎么能做到这一点?这个例子是否足够?

这是仅允许对经过身份验证的用户进行读/写的给定示例

{规则":{".read": "auth != null",".write": "auth != null"}}
解决方案

firebase.initializeApp(config) 不会对您进行身份验证,它只会在 Firebase 服务器上识别您的项目.这相当于您必须知道您的家庭住址才能知道下班后去哪里.知道地址是先决条件,但还不足以获得访问权限.

如果您想将数据访问权限限制为只有您",这意味着您必须首先在 Firebase 中表明自己的身份.您可以使用

使用此 uid,您可以控制对数据(数据库和存储)的访问.因此,如果您从控制台复制您的 uid 并将其添加到您的安全规则中,则只有您(或知道您的电子邮件+密码的人)可以访问数据库:

{规则":{".read": "auth.uid == 'e836f712-4914-41df-aa80-5ade6b8b7874'",".write": "auth == 'e836f712-4914-41df-aa80-5ade6b8b7874'"}}

请注意,我在此代码段中添加了自己的 uid 之一.就像知道您的 API 密钥或数据库 URL 不会带来安全风险一样,知道我的 uid 也不会.知道我是 Stack Overflow 上的 Frank van Puffelen,user:209103,并不意味着你可以冒充我.

I have a static website which runs:

config =
  apiKey: "HIDDEN"
  authDomain: "HIDDEN"
  databaseURL: "HIDDEN"
  storageBucket: ""

firebase.initializeApp(config)

in the browser (it's compiled to javacript) to authenticate with Firebase's server.

Am I confused here? Is this a valid way to authenticate with Firebase from the browser? I got the code from their "web" tutorial, so I'm figuring it is.

Now, I need to configure my Firebase database rules so that me and only me can read & write it.

How could I accomplish this? Would this example be adequate?

this is the given example for allowing read/write to authenticated users only

{
  "rules": {
    ".read": "auth != null",
    ".write": "auth != null"
  }
}
解决方案

The firebase.initializeApp(config) does not authenticate you, it merely identifies your project on the Firebase servers. It's the equivalent that you must know your home address to be able to know where to go after work. Knowing the address is a prerequisite, but it is not enough to gain access.

If you want to restrict data access to "just you", that means that you must first identify yourself with Firebase. This you do with Firebase Authentication. For example, to sign in with email+password you'd do:

firebase.auth().signInWithEmailAndPassword(email, password)

Read the documentation for email+password authentication for the full steps.

Once you're authenticated, you get a unique id; a so-called uid. You can find your uid in the Auth tab of your Firebase Console.

With this uid you can control access to the data (both database and storage). So if you copy your uid from the console and add it to your security rules, only you (or someone who knows your email+password) can access the database:

{
  "rules": {
    ".read": "auth.uid == 'e836f712-4914-41df-aa80-5ade6b8b7874'",
    ".write": "auth == 'e836f712-4914-41df-aa80-5ade6b8b7874'"
  }
}

Note that I added one of my own uids in this snippet. Just like knowing your API key or database URL is not a security risk, neither is knowing my uid. Knowing that I am Frank van Puffelen, user:209103 on Stack Overflow, does not mean that you can impersonate me.

这篇关于将 Firebase 读/写访问权限限制为只有我自己的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-03 22:59
查看更多