Asp*_*ger 7 firebase firebase-security firebase-realtime-database
我正在考虑使用 firebase 实时数据库,但有一些事情我担心:
我正在考虑做一些事情:
这足够安全吗?
如何保护我的 Firebase 免受读/写漏洞或 DDoS 攻击?
围绕这三个步骤的一般方法是很好的实践。
请考虑 Firebase 是基于云的,因此它的曝光度是世界的前沿和中心,以下是对 Firebase 的一些具体建议以及如何引入看门狗实践:
// Allow read/write access to all users under any conditions
// Warning: **NEVER** use this ruleset in production; it allows
// anyone to overwrite your entire database.
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if true;
}
}
}
{
"rules": {
"users": {
"$uid": {
".read": "auth.uid == $uid || root.child('users').child(auth.uid).child('isAdmin').val() == true",
".write": "root.child('users').child(auth.uid).child('isAdmin').val() == true",
".indexOn": ["email"]
}
}
}
}
恕我直言 - 我会制作本手册,或者至少将其与用户注册 IP 和蜜罐之类的内容进行检查
const getCustomClaimsByEmail = require('../utilities/get-custom-claims-by-email');
const setCustomClaims = require('../utilities/set-custom-claims');
module.exports = ({ admin, environment }) => user => {
const db = admin.firestore();
const usersCollection = db.collection(environment.schema.users);
const customClaimsRef = admin.database().ref(environment.schema.customClaims);
const auth = admin.auth();
const email = extractEmailFromUser(user);
return Promise.resolve()
.then(getCustomClaimsByEmail(customClaimsRef, email))
.then(setCustomClaims(auth, user.uid))
.then(claims => {
const update = mapUserUpdate(claims, user);
return usersCollection.doc(user.uid).set(update, { merge: true });
});
};
function mapUserUpdate(claims, user) {
const email = extractEmailFromUser(user);
return {
claims,
email,
emailVerified: user.emailVerified,
lastSignInTime: user.metadata.lastSignInTime,
creationTime: user.metadata.creationTime,
providerData: user.providerData,
};
}
function extractEmailFromUser(user) {
return user.email || user.providerData.find(({ email }) => email).email;
}