英文:
How to block Google Firestore access from the Google Firestore api
问题
我正在使用原生模式下的Google Firestore,并使用Go语言中的“cloud.google.com/go/firestore” API对其中的数据进行CRUD操作。只要您知道项目ID并在服务器上使用Firestore API,就可以广泛访问数据。在我弄清楚如何保护数据免受服务器攻击之前,我不想尝试规则。再次强调,API只需要项目ID即可访问数据,因此我需要首先确保其安全性,然后再进一步操作。根据我所了解,规则仅适用于移动端/网页客户端,服务器端客户端完全绕过规则。请帮助我。我不想使用Firebase API,因为攻击者仍然可以使用Firestore API访问数据。
英文:
I am working with Google Firestore in native mode and CRUD'ing data within it using the "cloud.google.com/go/firestore" api in Go. Access to the data is wide open as long as you know the project id and using the Firestore API on a server. I don't want to try the rules until I figure out how to secure the data from server attacks that. Again, all the API requires is the project id to access the data so I need to lock that down firstly before I move any further. Rules are only for mobile/web clients from what I read and Server side clients completely bypass the rules. Please help. I do not want to use the Firebase API because attackers can still use the Firestore api to access the data.
答案1
得分: 3
根据你问题中有限的信息,目前还不清楚你的Firestore数据库是否对具有项目ID的任何人开放。
该服务只对具有有效凭据的任何人(人类|机器)可访问。可以是具有Gmail帐户的人类,也可以是服务帐户密钥持有人。
无论哪种情况,只有你明确添加到项目中的身份才能访问其资源,而且只有具有适当的IAM角色|权限的身份才能访问。
谷歌提供了一个名为“应用程序默认凭据(ADCs)”的优雅工具,简化了客户端的身份验证过程。
我怀疑你的代码正在使用ADCs来对项目|服务进行身份验证。
英文:
It's unclear from the limited information in your question but, your Firestore database is not open to anyone with the Project ID.
The service is only accessible to any thing (human|machine) that has valid credentials. Either humans with e.g. Gmail accounts or Service Account key holders.
In either case, only identities that you've explicitly added to the project will be able to access its resources and then only those with the appropriate IAM roles|permissions.
Google provides an elegant facility called Application Default Credentials (ADCs) that simplifies authenticating clients.
I suspect that your code is using ADCs to authenticate you to the project|service.
答案2
得分: 1
如果你担心数据的访问权限过于开放,只要知道项目ID并在服务器上使用Firestore API,就可以访问数据。
如果这是一个问题,可以考虑在Firestore数据库的Firebase 安全规则中禁止所有访问。
此外,你可以查看我在这里的回答,了解为什么分享项目ID并不会造成安全问题,事实上,如果你想允许来自客户端设备的直接访问,这是必要的:https://stackoverflow.com/questions/37482366/is-it-safe-to-expose-firebase-apikey-to-the-public。如果你不想允许直接的客户端访问,关闭安全规则(默认情况下是这样的,除非在创建数据库时选择<kbd>测试模式</kbd>)是一个解决方法。
英文:
> Access to the data is wide open as long as you know the project id and using the Firestore API on a server.
If that is a concern, consider disallowing all access in the Firebase security rules for your Firestore database.
Also have a look at my answer here to understand why sharing your project ID is not a security concern, and in fact is necessary if you want to allow direct access from client-side devices: https://stackoverflow.com/questions/37482366/is-it-safe-to-expose-firebase-apikey-to-the-public. If you don't want to allow direct client-side access, closing down the security rules (as they are by default, unless you choose <kbd>test mode</kbd> when creating the database) is the way to go.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论