匿名Auth Firestore安全
我正在使用Firebase Anonymous Auth来控制对我的Firestore数据的访问,而无需登记。
在阅读了许多帖子并尽可能地查看文档(我仍在学习)之后,我的理解是
- Firebase Anonymous Auth不如其他firebase auth选项,
- 任何具有正确技能的人都可以使用我的API键来创建UID 访问
- 授予对此的
,我们使用规则(在这种情况下为firestore规则),因此我为所有收集创建了规则,使某些收藏只能“获取”:
match /collection/doc {
allow get: if request.auth != null;
}
文档ID必须与UID匹配的其他集合:
match /collection/{uid} {
allow get, write: if request.auth != null && request.auth.uid == uid;
}
这很棒,似乎很棒,并且当我测试它时工作得很好;但是,有一个集合将包含“仅获取”的数据,但我认为敏感(名称和工作电话号码)。
我想了解的是: 对于“以恶意意图”获得访问权限的任何人都可以获取所有收藏的列表以及内部所有内容的清单,从而使他们能够进入并访问仅“获取”的敏感文档?如:
allow get: if request.auth != null;
我使用的是“ get”而不是“读”,因为我听说“ get”可以防止通过管理员SDK执行列表查询。
我的想法是,如果他们无法获得集合 /文档列表,他们将无法访问敏感数据,因为他们的路径将是未知的。还是这是一个天真的假设?
I'm using Firebase anonymous auth to control access to my Firestore data without requiring the hassle of registration.
After reading many posts and looking up the documentation as best I can (I'm still learning), my understanding is
- Firebase Anonymous auth is not as secure as other Firebase auth options
- Anyone with the right skills could use my API key to create a UID granting access
- To mitigate this, we use rules (in this case Firestore rules)
So I created rules for all my collections, making some collections 'get' only:
match /collection/doc {
allow get: if request.auth != null;
}
Other collections where the document ID must match the UID:
match /collection/{uid} {
allow get, write: if request.auth != null && request.auth.uid == uid;
}
Which is great, and seems to work well when I tested it; however, there is one collection that will contain data that is 'get' only, but I consider sensitive (names and work phone numbers).
What I'm trying to understand is:
Is it possible for anyone who gains access "with malicious intent" to obtain a list of all collections, and everything inside, thereby giving them the ability to go in and access sensitive documents that are 'get' only? As in:
allow get: if request.auth != null;
I'm using 'get' instead of 'read' because I heard that 'get' prevents a list query from being executed via the admin SDK.
My idea being that if they can't get a list of collections / documents, they won't be able to access the sensitive data because the path will be unknown to them. Or is this a naive assumption?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
匿名auth的安全性,就像方法中的大多数其他符号一样安全,它只是没有任何了解用户是谁的知识。但是他们仍然通过Firebase分配给他们的UID,这使您可以保护该用户的数据访问。
通过此规则,您显示的是:
用户只能读取与其UID匹配的文档。因此,无论他们是匿名签名还是与其他提供商签名,他们只能读/编写自己的文档。
因此,这些规则确实不允许任何用户获取其他用户文档的列表。即使您允许
list操作(或组合的read操作),整个集合的读取操作也会被拒绝为request.auth.uid = = UID条件要求他们仅阅读自己的文档。Anonymous auth is just as secure as most other sign in methods, it just doesn't give you any knowledge about who the user is. But they still get a UID assigned to them by Firebase, which allows you to secure data access for that user.
With this rule you showed:
A user can only read and write the document that matches with their UID. So no matter if they signed in anonymously or with another provider, they can only read/write their own document.
So these rules indeed don't allow any user to get a list of other user documents. Even if you allowed the
listoperation (or the combinedreadoperation), a read operation for the entire collection would get rejected as therequest.auth.uid == uidcondition requires that they only read their own document.