英文:
Authenticate firebase real time database requests made from backend (without a user)
问题
- 我正在管理一个包含大量 Firebase 实时数据库和大量数据的项目。
- 我还需要非常精确的安全功能,例如对于某些用户角色,对某些字段进行脱敏,或对包含与用户相关的字段的数据进行脱敏等等。
我知道我可以使用 Firebase 安全规则来处理这些,但在这个规模下,它实际上难以阅读和维护。
因此,我想要在服务器端处理所有这些安全功能,并代理所有请求到 Firebase,所以我想知道如何最好地验证我的后端发出的请求到 Firebase,理想情况下,我不会授予任何用户对任何数据库的任何权限。
实际上,我尝试过使用一个名为 "admin" 的单一用户,并在所有我的 Firebase 模型上制定简单的安全规则,例如 “read|write”: “auth.uid === MY_ADMIN_UID”
,但我想知道是否有更好的解决方案。
请您指点我正确的方向。
英文:
- I am managing a project with a lot of firebase real time database and a lot of data
- I also need very precise security feature like masking certains
fields for certain user roles or masking data that contains field
related to the user...etc
I know that I can handle that using firebase security rules but at that scale, it's not readable nor maintenable at all.
So I want to handle all those security features serverside and proxy all request to firebase, so I wonder what is the best way to authenticate requests made by my backend to firebase knowing that ideally, I will not grant any user any rights on any databases.
Actually, I have tried to use a single "admin" user and make a simple security rule on all my firebase models like "read|write": "auth.uid === MY_ADMIN_UID"
but I wonder if there is a better solution.
Could you point me to the right direction please?
答案1
得分: 2
Sure, here is the translated content:
> 我想要在服务器端处理所有这些安全功能并代理所有请求到Firebase,所以我想知道最好的方式是什么,用于对我的后端发出的请求进行身份验证,理想情况下,我不会授予任何用户对任何数据库的任何权限。
在Firebase模型中,经典地,如果您想要从服务器与Firebase服务(例如实时数据库)交互,您将使用Admin SDK。默认情况下,Admin SDK会绕过所有安全规则并完全访问您的数据。
换句话说,来自Firebase Admin SDK的请求不受安全规则的限制。这意味着您可以通过安全规则保护您的RTDB,拒绝任何访问(即".read": false, ".write": false
),以便恶意用户知道RTDB URL时无法查询它。
这也意味着在从中查询RTDB之前,您负责控制谁调用您的代理服务器。
然而,在实时数据库中,您可以使用Admin SDK进行有限权限身份验证,这完全符合您的要求,即“通过我的后端身份验证请求的最佳方式”。
如文档中所述(请参见上面的链接),您可以“在安全规则中使用唯一标识符来表示您的服务”。
然后,您可以通过使用特定的标识符来设置适当的安全规则,以授予您的服务访问所需资源的权限。例如:
{
"rules": {
"public_resource": {
".read": true,
".write": true
},
"private_resource": {
".read": "auth.uid === 'my-service-worker'", // <======
".write": false
},
}
}
然后,在您初始化Firebase应用程序的服务器上,您可以使用databaseAuthVariableOverride
选项来覆盖数据库规则使用的auth
对象。在此自定义的auth
对象中,将uid
字段设置为您在安全规则中用于表示您的服务的标识符。请参见文档中的Java、Node.js、Python和Go示例。
请注意,这仍然意味着您负责控制谁在从代理服务器查询RTDB之前调用它,但安全规则不那么通用。
英文:
> I want to handle all those security features serverside and proxy all
> request to firebase, so I wonder what is the best way to authenticate
> requests made by my backend to firebase knowing that ideally, I will
> not grant any user any rights on any databases.
Classically, in the Firebase model, if you want to interact with a Firebase service (e.g the Realtime Database) from a server you will use the Admin SDK. By default the Admin SDK bypass all Security Rules and has full access to your data.
In other words, requests from the Firebase Admin SDK are not gated by Security Rules. So it means that you can protect your RTDB with Security Rules that denies any access (i.e. ".read": false, ".write": false
) in such a way a malicious user knowing the RTDB URL cannot query it.
This also means that you are in charge of controlling who is calling your proxy server before querying the RTDB from it.
HOWEVER, with the Realtime Database you can Authenticate with the Admin SDK with limited privileges, which IMO perfectly corresponds to your requirement, i.e. "best way to authenticate requests made by my backend".
As explained in the doc (see link above), you "use a unique identifier in your Security Rules to represent your service".
You then "set up appropriate Security Rules which grant your service access to the resources it needs" by using a specific identifier. For example:
{
"rules": {
"public_resource": {
".read": true,
".write": true
},
"private_resource": {
".read": "auth.uid === 'my-service-worker'", // <======
".write": false
},
}
}
And then, "on your server, when you initialize the Firebase app, you use the databaseAuthVariableOverride
option to override the auth
object used by your database rules. In this custom auth
object, set the uid
field to the identifier you used to represent your service in your Security Rules". See the examples for Java, Node.js, Python and Go in the doc.
Note that this still means that you are in charge of controlling who is calling your proxy server before querying the RTDB from it, but the Security Rules are less generic.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论