firebase安全规则:通过请求中的自定义UID。
我正在使用Next-auth V4,Firebase V9和NextJS,并试图通过Firebase安全规则解决问题。
我的安全规则在请求中没有收到任何内容。
在Next-auth中,我正在使用会话回调来确定何时在数据库中创建新用户:
export default NextAuth({
providers: [
GoogleProvider({
clientId: process.env.GOOGLE_CLIENT_ID,
clientSecret: process.env.GOOGLE_CLIENT_SECRET,
}),
],
secret: process.env.JWT_SECRET,
callbacks: {
async session({ session, token }) {
session.id = token?.sub;
const userDocRef = doc(db, "users", session.id);
const userDocSnap = await getDoc(userDocRef);
if (!userDocSnap.exists()) {
await setDoc(doc(db, "users", session.id), {
uid: session.id,
name: session.user.name,
image: session.user.image,
email: session.user.email,
});
}
我该如何制作它,以便我能够从firebase侧验证userId,同时仍在使用Next-auth。有没有办法将Session.ID从我的JWT到Firebase?
I'm using next-auth v4, Firebase v9 and NextJS and trying to solve an issue with Firebase security rules.
My security rules do not receive anything in request.auth because I'm using next-auth and I couldn't find a way to pass my next-auth session ID as a UID in firebase requests.
In next-auth, I'm using session callbacks to determine when to create new user in database:
export default NextAuth({
providers: [
GoogleProvider({
clientId: process.env.GOOGLE_CLIENT_ID,
clientSecret: process.env.GOOGLE_CLIENT_SECRET,
}),
],
secret: process.env.JWT_SECRET,
callbacks: {
async session({ session, token }) {
session.id = token?.sub;
const userDocRef = doc(db, "users", session.id);
const userDocSnap = await getDoc(userDocRef);
if (!userDocSnap.exists()) {
await setDoc(doc(db, "users", session.id), {
uid: session.id,
name: session.user.name,
image: session.user.image,
email: session.user.email,
});
}
How can I make it so that I'm able to verify the userId from the firebase side, while still using next-auth. Is there a way to pass session.id from my JWT to firebase?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
在文档
Firebase安全规则仅在使用Firebase身份验证或Google Cloud Identity时才接收用户信息。它不能与其他Auth系统一起使用。 Firebase SDK始终将当前签名的用户签名的UID安全提供。没有办法将UID传递到安全规则中 - 这根本不安全,因为伪造用户很容易。
也许您可以使用某种
In the documentation it states:
Firebase security rules only receive user information when using Firebase Authentication or Google Cloud Identity. It cannot be made to work with other auth systems. The UID of the currently signed in user is always provided securely by the Firebase SDK. There is no way to "pass" a UID into security rules - that would not be secure at all, as it would be easy to fake the user.
Perhaps you could use some sort of custom authentication implementation of your creation to bridge between what you have now and Firebase. You will still need to use the Firebase Auth SDK to sign the user in.