1

Due to the thin AngularFire documentation and the differences between it and the default web documentation for Firebase, I'm a little lost on how best to secure Create, Read, Update, and Delete operations with users.

In short, say I have an application that manages stores. Users can be owners of the stores or patrons. Owners should read and edit their own stores in their view and patrons should read all but edit no stores in their view.

I'm concerned about the security of suggested methods by Firebase docs such as

So for example, we could have a rule like the following to allow users to create comments as long as they store their user id with the comment:

{
  "rules": {
    ".read": true,
    "$comment": {
      ".write": "!data.exists() && newData.child('user_id').val() == auth.id"
    }
  }
}

To me, this means that I could hack my application's data by simply passing in my victim's user id when I want to post a comment as them. Am I wrong?

I've read the security documentation thoroughly, several times. I think I need further explanation here. Identifying by a client-exposed parameter is the only method I can find so far.

4

1 回答 1

4

在此处显示的示例中,auth指的是经过身份验证的用户的令牌数据。这是 Firebase 在 auth() 事件期间设置的特殊变量,因此您不能在客户端破解。换句话说,只有将 user_id 值设置为您自己的帐户 ID,您才能写评论。

对象的内容auth取决于客户端的身份验证方式。例如,SimpleLogin 的密码提供程序将以下内容放入身份验证令牌中:provideremailid; 其中任何一个都可以在安全规则中使用。

也可以从服务器签署您自己的令牌,当然这里的限制是无限的。

但最重要的是,令牌的内部值是由受信任的进程提供的,而不是由客户端提供的,因此用户不能更改。

于 2013-10-18T16:09:42.043 回答