问题描述

我的Firebase Web应用需要管理员访问权限，即，UI仅应向管理员显示一些内容(管理员"部分).我想出以下方法来授权UI显示仅适用于有效管理员的admin部分.我的问题是好还是坏?这是授权的合理方法吗?...有很多方法可以做到这一点这种特殊方式要求我在安全规则中配置管理员(相对于db/firestore中的节点/树中的VS)

My Firebase web app requires administrator access, i.e., the UI should show a few things only for admins (an 'administrator' section). I came up with the below as a means to authorize the UI to display the admin section for valid admins only. My question is, good or bad? Is this a sound means of authorizing? ...so many ways to do this. This particular way requires me to configure admins in the security rules (vs in a node/tree in a db/firestore)

我的想法是，如果 .get()由于未经授权的访问而失败，我告诉我的应用逻辑，如果 .get()成功后，我的逻辑显示了"admin"部分.当然，部分"只是数据库填充的HTML框架/空元素，因此，即使最终用户入侵JS/逻辑，也不会有真正的数据-只有空的管理部分"框架.

My idea is that if the .get() fails due to unauthorized access, I tell my app logic the user is not an admin, if the .get() succeeds my logic shows the 'admin' sections. Of course, the 'sections' are just HTML skeletons/empty elements populated by the database so even if the end user hacks the JS/logic, no real data will be there - only the empty 'admin section' framework.

function isAdmin(){
    return new Promise(function(resolve, reject){
        var docRef = firebase.firestore().collection("authorize").doc("admin");
        docRef.get().then(function(result) {
            if (result) {
                resolve (true);
            }
        }).catch(function(error) {
            resolve (false);
        });
    });
}

firestore规则通过UID指定管理员".

The firestore rule specifies the 'admins' by UID.

service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if request.auth.uid == "9mB3UxxxxxxxxxxxxxxxxxxCk1";
    }
  }
}

推荐答案

您要在数据库中存储每个用户的角色，然后在客户端中查找它以更新其UI.长期以来，这一直是实时数据库上惯用的方式，并且在Firestore上仍然有效.

You're storing the role of each user in the database, and then looking it up in the client to update its UI. This used to be the idiomatic way for a long time on realtime database, and it still works on Firestore.

我唯一要更改的是让规则也从/authorize/admin 中读取，而不是对其中的UID进行硬编码.这样一来，您只需将UID放在一个位置，而不必将其同时放在规则和文档中.

The only thing I'd change is to have the rules also read from /authorize/admin, instead of hard-coding the UID in them. That way you only have the UID in one place, instead of having it in both the rules and the document.

但是您可能还想考虑另一种方法:对您的管理员用户设置自定义声明，然后您就可以同时阅读服务器端安全规则(用于强制授权访问)和前端(以优化UI).

But you may also want to consider an alternative: set a custom claim on your admin user, that you can then read in both the server-side security rules (to enforce authorized access) and the front-end (to optimize the UI).

要设置自定义声明，您将使用Firebase Admin SDK 一个>.您可以在Cloud Functions中的自定义服务器上执行此操作，但是在您的情况下，仅从开发计算机运行它可能会更简单.

To set a custom claim you use the Firebase Admin SDK. You can do this on a custom server, in Cloud Functions, but in your scenario it may be simpler to just run it from your development machine.