有没有一种方法可以使我的燃料查询更加安全?
基本上,我们希望我们的应用使用用户名/密码而不是电子邮件/密码登录。我想查询给定用户名的实时数据库,它将返回与该用户名相关联的电子邮件(每个用户名都是唯一的btw),然后继续使用电子邮件/密码登录。工作中的标志,但我意识到这可能会带来安全风险。我们实时数据库的规则如下:
"rules": {
"user":{
".read": true,
".indexOn": ["username"],
"$uid": {
".write" :"$uid == auth.uid && auth != null",
}
}
}
显然,只有经过身份验证的用户允许写入,但这是每个人都读取的问题吗?这是我能想到的唯一解决方案。
Basically, we want our app to sign in with a username/password instead of email/password. I had the idea to query the realtime database given the username and it would return the email associated with that username (each username is unique btw) and then continue to sign in with email/password. The sign in works, but I realize this could pose a security risk. The rules for our realtime database are as follows:
"rules": {
"user":{
".read": true,
".indexOn": ["username"],
"$uid": {
".write" :"$uid == auth.uid && auth != null",
}
}
}
Obviously, write would only by allowed by authenticated users, but would this be a problem having read be true for everyone? This is the only solution that I can think of.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论