问题描述

我正在基于 VueJs (针对 UI )和 NodeJs (针对后端(将在Google Cloud Platform中运行)+ Firestore (用于 auth +数据库).

I am designing an application (let's call it a TodoList app) based on VueJs (for the UI) + NodeJs (for the backend, which will run in Google Cloud Platform) + Firestore (for the auth + database).

我徘徊在Google庞大的文档中(有时是多余的！)来实现某些可行的方法，但我不确定它是否可以保证生产.

I have wandered through the huge documentation of Google (sometimes redundant!) to achieve something that should work but I am not sure it's production-proof.

情况:

• 由于对Firebase进行了基于密码的身份验证，因此用户已经登录了我的VueJs应用程序(并且该用户的凭据(包括他的accessToken)存储在我的Vuex存储中).
• Firebase Admin SDK正在后端运行.
• 我的VueJs应用正在请求我的后端.
• 后端验证在客户端中发送的accessToken -附带请求
• 由于有了Admin SDK，我的后端才请求我的Firestore数据库

• A user has signed-in on my VueJs app thanks to the password-based authentication of Firebase (and the user's credentials, including his accessToken, are stored in my Vuex store).
• The Firebase Admin SDK is running on my backend.
• My VueJs app is requesting my backend.
• The backend verifies the accessToken sent in the client-side request
• It is my backend that request my Firestore database thanks to the Admin SDK

我在Firestore数据库上设置了一些安全规则:

I have set some security rules on my Firestore database:

service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{userId}/{document=**} {
      allow read, write: if request.auth.uid == userId;
    }
  }
}

所以我不希望任何登录的用户访问另一个用户的数据.

so that I don't want any logged users to access data from another user.

问题:

由于Firebase Admin SDK对我的Firestore数据库具有完全特权，因此我如何确保不会出现任何安全问题.现在，我只是在验证请求中发送的accessToken到我的后端，但是...令我感到不舒服！

As the Firebase Admin SDK has full privilege on my Firestore database, how can I make sure there won't be any security issues. For now, I am just verifying the accessToken sent in the request to my backend, but ... something makes me feel wrong with this!

代码:

在客户端:

auth.onAuthStateChanged((user) => {
  if (user) {
    // Save the user credentials
  }
}

在服务器端:

// idToken comes from the client app (shown above)
// ...
admin.auth().verifyIdToken(idToken)
  .then(function(decodedToken) {
    var uid = decodedToken.uid;
    // Retrieve or add some data in /users/{userId}/{document=**}
  }).catch(function(error) {
    // Handle error
  });

如您所见，一旦我验证了accessToken并检索了uid，就可以在数据库上执行任何操作.

As you can see, once I validate the accessToken and retrieve the uid, I can do anything on my database.

参考

• https://firebase.google.com/docs/admin/setup
• https://firebase.google.com/docs/auth/admin/verify-id-tokens
• https://firebase.google.com/docs/reference/admin/node/admin.firestore

• https://firebase.google.com/docs/admin/setup
• https://firebase.google.com/docs/auth/admin/verify-id-tokens
• https://firebase.google.com/docs/reference/admin/node/admin.firestore

感谢您的帮助！

推荐答案

管理SDK将始终具有对数据库的完全访问权限.

由于客户端从不直接访问Firebase，因此应完全禁用对所有文档的访问.您的API仍然可以访问

Since the client is never accessing Firebase directly, you should totally disable access to all documents. Your API will still have access

match /{document=**} {
  allow read, write: if false;
}

这篇关于限制Firestore对admin-sdk的访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！