验证来自后端的Firebase实时数据库请求(无需用户身份验证)

huangapple go评论63阅读模式
英文:

Authenticate firebase real time database requests made from backend (without a user)

问题

  • 我正在管理一个包含大量 Firebase 实时数据库和大量数据的项目。
  • 我还需要非常精确的安全功能,例如对于某些用户角色,对某些字段进行脱敏,或对包含与用户相关的字段的数据进行脱敏等等。

我知道我可以使用 Firebase 安全规则来处理这些,但在这个规模下,它实际上难以阅读和维护。

因此,我想要在服务器端处理所有这些安全功能,并代理所有请求到 Firebase,所以我想知道如何最好地验证我的后端发出的请求到 Firebase,理想情况下,我不会授予任何用户对任何数据库的任何权限。

实际上,我尝试过使用一个名为 "admin" 的单一用户,并在所有我的 Firebase 模型上制定简单的安全规则,例如 “read|write”: “auth.uid === MY_ADMIN_UID”,但我想知道是否有更好的解决方案。

请您指点我正确的方向。

英文:
  • I am managing a project with a lot of firebase real time database and a lot of data
  • I also need very precise security feature like masking certains
    fields for certain user roles or masking data that contains field
    related to the user...etc

I know that I can handle that using firebase security rules but at that scale, it's not readable nor maintenable at all.

So I want to handle all those security features serverside and proxy all request to firebase, so I wonder what is the best way to authenticate requests made by my backend to firebase knowing that ideally, I will not grant any user any rights on any databases.

Actually, I have tried to use a single "admin" user and make a simple security rule on all my firebase models like "read|write": "auth.uid === MY_ADMIN_UID" but I wonder if there is a better solution.

Could you point me to the right direction please?

答案1

得分: 2

Sure, here is the translated content:

> 我想要在服务器端处理所有这些安全功能并代理所有请求到Firebase,所以我想知道最好的方式是什么,用于对我的后端发出的请求进行身份验证,理想情况下,我不会授予任何用户对任何数据库的任何权限。

在Firebase模型中,经典地,如果您想要从服务器与Firebase服务(例如实时数据库)交互,您将使用Admin SDK。默认情况下,Admin SDK会绕过所有安全规则并完全访问您的数据。

换句话说,来自Firebase Admin SDK的请求不受安全规则的限制。这意味着您可以通过安全规则保护您的RTDB,拒绝任何访问(即".read": false, ".write": false),以便恶意用户知道RTDB URL时无法查询它。

这也意味着在从中查询RTDB之前,您负责控制谁调用您的代理服务器。


然而,在实时数据库中,您可以使用Admin SDK进行有限权限身份验证,这完全符合您的要求,即“通过我的后端身份验证请求的最佳方式”。

如文档中所述(请参见上面的链接),您可以“在安全规则中使用唯一标识符来表示您的服务”。

然后,您可以通过使用特定的标识符来设置适当的安全规则,以授予您的服务访问所需资源的权限。例如:

{
  "rules": {
    "public_resource": {
      ".read": true,
      ".write": true
    },
    "private_resource": {
      ".read": "auth.uid === 'my-service-worker'",  // <======
      ".write": false
    },
  }
}

然后,在您初始化Firebase应用程序的服务器上,您可以使用databaseAuthVariableOverride选项来覆盖数据库规则使用的auth对象。在此自定义的auth对象中,将uid字段设置为您在安全规则中用于表示您的服务的标识符。请参见文档中的Java、Node.js、Python和Go示例。

请注意,这仍然意味着您负责控制谁在从代理服务器查询RTDB之前调用它,但安全规则不那么通用。

英文:

> I want to handle all those security features serverside and proxy all
> request to firebase, so I wonder what is the best way to authenticate
> requests made by my backend
to firebase knowing that ideally, I will
> not grant any user any rights on any databases.

Classically, in the Firebase model, if you want to interact with a Firebase service (e.g the Realtime Database) from a server you will use the Admin SDK. By default the Admin SDK bypass all Security Rules and has full access to your data.

In other words, requests from the Firebase Admin SDK are not gated by Security Rules. So it means that you can protect your RTDB with Security Rules that denies any access (i.e. ".read": false, ".write": false) in such a way a malicious user knowing the RTDB URL cannot query it.

This also means that you are in charge of controlling who is calling your proxy server before querying the RTDB from it.


HOWEVER, with the Realtime Database you can Authenticate with the Admin SDK with limited privileges, which IMO perfectly corresponds to your requirement, i.e. "best way to authenticate requests made by my backend".

As explained in the doc (see link above), you "use a unique identifier in your Security Rules to represent your service".

You then "set up appropriate Security Rules which grant your service access to the resources it needs" by using a specific identifier. For example:

{
  "rules": {
    "public_resource": {
      ".read": true,
      ".write": true
    },
    "private_resource": {
      ".read": "auth.uid === 'my-service-worker'",  // <======
      ".write": false
    },
  }
}

And then, "on your server, when you initialize the Firebase app, you use the databaseAuthVariableOverride option to override the auth object used by your database rules. In this custom auth object, set the uid field to the identifier you used to represent your service in your Security Rules". See the examples for Java, Node.js, Python and Go in the doc.

Note that this still means that you are in charge of controlling who is calling your proxy server before querying the RTDB from it, but the Security Rules are less generic.

huangapple
  • 本文由 发表于 2023年1月5日 01:05:05
  • 转载请务必保留本文链接:https://go.coder-hub.com/75008843.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定