Javascript 我如何阻止其他网站/应用访问我的Firebase?
我正在构建一个简单的示例应用程序,它基本上只允许站点上的所有用户彼此聊天,就像聊天室一样。Firebase让我匿名验证用户,这正是我想要的,因为我只希望我的应用程序上的用户使用它。以下代码根据Firebase文档提供身份验证:Javascript 我如何阻止其他网站/应用访问我的Firebase?,javascript,firebase,firebase-security,Javascript,Firebase,Firebase Security,我正在构建一个简单的示例应用程序,它基本上只允许站点上的所有用户彼此聊天,就像聊天室一样。Firebase让我匿名验证用户,这正是我想要的,因为我只希望我的应用程序上的用户使用它。以下代码根据Firebase文档提供身份验证: var ref = new Firebase("https://<your-firebase>.firebaseio.com"); ref.authAnonymously(function(error, authData) { if (error) {
var ref = new Firebase("https://<your-firebase>.firebaseio.com");
ref.authAnonymously(function(error, authData) {
if (error) {
console.log("Login Failed!", error);
} else {
console.log("Authenticated successfully with payload:", authData);
}
});
我真的不知道这到底有多安全。我不能使用秘密令牌,因为它都是客户端的。我缺少什么?只需创建安全规则,检查用户是否具有特定属性。您可以在仪表板中为自己的用户表示(我们称之为“isAdmin”)设置此属性一次,然后让所有规则返回true(如果该属性存在且为true) 快速示例:
{
"rules": {
// Allow everyone to read. This rule cannot be refined in deeper levels.
// Once permission is granted at a certain level, it cannot be revoked
// in a deeper level. However, the other way around works, as we see
// next.
".read": true,
// Always allow writes by users who have the isAdmin attribute. If this
// evaluates to false, you can still have subrules in deeper levels that
// may grant permission.
".write": "root.child('users/' + auth.uid + '/isAdmin').val() === true",
"users": {
"$uid": {
// Users can write to their own entries, only. Except for the admin,
// as his root rule already evaluated to true. The cascade is also
// the reason why we need to check that the incoming isAdmin attribute is
// actually false. We don't want to give the user a blank cheque just
// because he is himself ...
".write": "$uid === auth.uid && newData.child('isAdmin').val() === false",
"isAdmin": {
// No one can write this attribute, except users who already have
// the attribute (see above). The cascade makes sure of that.
".write": false
}
}
}
}
}
{
"rules": {
// Allow everyone to read. This rule cannot be refined in deeper levels.
// Once permission is granted at a certain level, it cannot be revoked
// in a deeper level. However, the other way around works, as we see
// next.
".read": true,
// Always allow writes by users who have the isAdmin attribute. If this
// evaluates to false, you can still have subrules in deeper levels that
// may grant permission.
".write": "root.child('users/' + auth.uid + '/isAdmin').val() === true",
"users": {
"$uid": {
// Users can write to their own entries, only. Except for the admin,
// as his root rule already evaluated to true. The cascade is also
// the reason why we need to check that the incoming isAdmin attribute is
// actually false. We don't want to give the user a blank cheque just
// because he is himself ...
".write": "$uid === auth.uid && newData.child('isAdmin').val() === false",
"isAdmin": {
// No one can write this attribute, except users who already have
// the attribute (see above). The cascade makes sure of that.
".write": false
}
}
}
}
}