2

我想弄清楚如何验证我对 Firestore 的请求。

我正在使用https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword?key=<API_KEY>两者,它返回我用户的 idToken。

我对我的路由进行身份验证,这些路由仍然有效,但仍然暴露了我的 Firestore,因此我切换到使用安全规则,但我似乎无法对任何请求进行身份验证。

我正在使用 express 在本地使用这种格式处理到 firestore 的路由:

GET http://localhost:5001/<PROJECT_ID>/us-central1/database/users/

Rules: allow read, write: if true;

GET https://firestore.googleapis.com/v1/projects/<PROJECT_ID>/databases/(default)/documents/users
content-type: application/json

Response: 200 (And I see all the documents)

Rules: allow read, write: if request.auth != null;

GET https://firestore.googleapis.com/v1/projects/<PROJECT_ID>/databases/(default)/documents/users
Authorization: Bearer {{idToken}}
content-type: application/json

Response: {
  "error": {
    "code": 403,
    "message": "Missing or insufficient permissions.",
    "status": "PERMISSION_DENIED"
  }
}

更多详细信息

下面的代码有效,但使用 firebase 其他方式获取数据,它绕过了这一点,并且只会根据安全规则进行限制。

索引.ts

import * as functions from 'firebase-functions';
import * as express from 'express';
import * as cors from 'cors';

import isAuthenticated from './components/middleware/authenticated';
import isAuthorized from './components/middleware/authorized';

import users_all from './users/controllers/all';

const route = express();
route.use(cors({ origin: true }));


route.get('/users', isAuthenticated, isAuthorized({ hasRole: ['admin', 'manager'] }), users_all);

exports.database = functions.https.onRequest(route);

users_all

import { Request, Response } from "express";
import sentry from '../../components/reporting/sentry';
import Fireapp from '../../components/firebase/fireapp';

Fireapp

const all = async (req: Request, res: Response) => {

    try {

        let profiles: any = [];

        /** Retrieve the exact document reference */
        const reference = Fireapp.firestore().collection('users').get()
            .then((documents: firebase.firestore.QuerySnapshot) => {
                documents.docs.forEach((doc: firebase.firestore.DocumentData) => { profiles.push(doc.data()) });
                return profiles;
            });

        return Promise.all([reference]).then((response: any) => {
            res.status(200).send(profiles);
        }).catch((error: any) => { throw error });

    } catch (error) {
        sentry(error, { service: '[GET ALL USER]', level: 'moderate', message: error.message });
        res.status(400).send(error.message)
    }

}

export default all;
4

0 回答 0