Firestore security rules granting access only to users authenticated with Google and that are part of the Firebase project

huangapple go评论71阅读模式
英文:

Firestore security rules granting access only to users authenticated with Google and that are part of the Firebase project

问题

我正在使用FireCMS管理我的Firestore,并已设置了Google身份验证。为了保护我的数据,我只希望授予属于Firebase项目的Google用户访问权限。如果可能的话,我也想避免逐个列出用户的电子邮件。

我尝试过以下方法:

```plaintext
rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents/{document=**} {
    allow read, write: if request.auth != null &&
      request.auth.token.firebase != null &&
      request.auth.token.firebase.identities["google.com"] != null;
  }
}

但这会给予所有Google帐户访问权限,而不仅仅是那些已被邀请到我的Firebase项目的帐户。


<details>
<summary>英文:</summary>

I am using FireCMS for my Firestore and have set up Google authentication. To secure my data, I only wish to grant access to Google users that are part of the Firebase project. I&#39;d also like to avoid listing user emails one by one, if possible.

Here&#39;s what I tried so far:

rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents/{document=**} {
allow read, write: if request.auth != null &&
request.auth.token.firebase != null &&
request.auth.token.firebase.identities["google.com"] != null;
}
}


But this gives access to all Google accounts, not just those that have been invited to my Firebase project.

</details>


# 答案1
**得分**: 2

没有办法从用户的Firebase ID令牌中的信息确定用户是否是Firebase项目的合作者。安全规则也无法访问您的Firebase项目的信息。

我能想到的唯一选择是:

- 如果您使用 Identity Platform,您可能可以[禁用注册](https://console.firebase.google.com/project/_/authentication/settings),只保留登录功能。然后在将他们添加到项目后,您可以预先为每个合作者创建一个帐户。
- 在合作者的令牌中包含一个自定义声明,然后您的安全规则进行检查。如果您不想自己编写代码,您可以考虑使用允许您通过Firestore[设置Auth声明的扩展](https://github.com/FirebaseExtended/experimental-extensions/tree/next/firestore-auth-claims)。
- 在您的Firestore数据库中包含每个合作者的信息,然后在您的安全规则中从那里查找,类似于[获取用户规则的此示例](https://firebase.google.com/docs/firestore/security/rules-conditions#access_other_documents)。

<details>
<summary>英文:</summary>

There is no way to identify that the user is a collaborator on the Firebase project from the information in their Firebase ID token. The security rules also don&#39;t have access to the information of your Firebase project.

The only options I can think of are to:

* If you use Identity Platform, you may be able to [disable sign-up](https://console.firebase.google.com/project/_/authentication/settings) - and only leave sign-in enabled. You could then pre-create an account for each collaborator, after you add them to the project.
* Include a custom claim in the token of collaborators, that your security rules then check for. If you don&#39;t want to write the code for this yourself, you can consider using extension that let&#39;s you [set Auth claims through Firestore](https://github.com/FirebaseExtended/experimental-extensions/tree/next/firestore-auth-claims).
* Include information about each collaborator in your Firestore database, and then look it up from there in your security rules, similar to this example on [getting user rules](https://firebase.google.com/docs/firestore/security/rules-conditions#access_other_documents).

</details>



huangapple
  • 本文由 发表于 2023年4月10日 21:52:15
  • 转载请务必保留本文链接:https://go.coder-hub.com/75977716.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定