英文:
Firestore security and anonymous login
问题
我有一个基于Web的小型Flutter应用程序,使用Firebase/Firestore。安全规则是allow read, write;
。
我收到了一封来自(友好的)黑客的匿名电子邮件,其中提到:
- “我们的Firebase数据库凭据在响应请求时泄漏了”(??)
- “他能够修改数据库”(他确实这样做了)
我明白了,根据给定的规则,我几乎没有安全性,但有人能解释一下黑客如何能够访问数据库并进行修改吗?我猜起点是可以在浏览器开发者控制台中看到的网络请求,但我不知道接下来该做什么。有人能概述一下如何修改Firestore数据库吗?
为了改进这一点,我已经向我的项目添加了匿名身份验证,并修改了安全规则为allow read, write: if request.auth != null;
。这样做是否使黑客的尝试(稍微)困难一些?
英文:
I have a small web-based Flutter application that uses Firebase/Firestore. The security rules are allow read, write;
I got an anonymous email from a (friendly) hacker stating that
- "Our Firebase database credentials are leaked in response to a request" (??)
- "He was able to modify the database" (which he did indeed)
I understand that I have virtually no security with the given rules but can somebody explain how a hacker can get access to the database and modify it? I guess the starting point is the network requests that can be seen in the browsers developer console but I have no clue what's next. Can somebody outline how one can modify the Firestore database?
In an attempt to improve this, I have added anonymous authentication to my project and modified the security rules to allow read, write: if request.auth != null;
Does this make hacking attempts (a bit) less easy?
答案1
得分: 2
使用allow read, write;
安全规则,一旦有人获得了您Firebase项目的API密钥(这是公开的,可以在您的应用代码中轻松找到),他可以读取和写入您的数据库,例如使用Cloud Firestore API。
将您的安全规则修改为allow read, write: if request.auth != null;
并不一定是解决方案:如果在您的项目中启用了电子邮件/密码登录方法,可以使用Firebase Auth REST API并注册到您的项目(即创建新帐户)。一旦用户登录,request.auth != null
表达式变为true
。
避免“非期望”用户访问数据的一个常见方法是向所需帐户添加一个或多个自定义声明,并在安全规则中使用这些声明:详见文档获取更多详细信息。
英文:
With the allow read, write;
security rules, as soon as someone has the API Key of your Firebase Project (which is public and can easily be found in the code of your app) he can read and write to your database, for example by using the Cloud Firestore API.
Modifying your security rules to allow read, write: if request.auth != null;
is not necessarily a solution: If the email/password sign-in method is enabled in your Project, one can use the Firebase Auth REST API and sign-up to your project (i.e. create a new account). Once the user is signed-in the request.auth != null
expression becomes true
.
One classical approach to avoid "non-desired" users to access data, is to add one or more Custom Claims to the desired accounts and use these claims in the Security Rules: See the doc for more details.
答案2
得分: 2
以下是翻译好的部分:
安全规则是
allow read, write;
如果您使用这些设置,这意味着允许任何知道您的项目ID的人读取/写入数据库。这显然是不好的,因为恶意用户可以利用它。的确,您可以在测试目的的一小段时间内使用这些设置,但绝不应在生产环境中使用。
在涉及安全规则时最重要的部分是 Firebase 认证,这意味着您只能允许经过身份验证的用户在数据库中执行操作。
为了改进这一点,我已经在我的项目中添加了匿名身份验证,并修改了安全规则以允许
read, write: if request.auth != null;
这些规则比以前的规则好。然而,它将允许任何知道您的项目ID并经过身份验证的人读取/写入数据库。如果您想要更精细的安全规则集,那么您可以使用以下规则:
service cloud.firestore {
match /databases/{database}/documents {
match /users/{uid} {
allow create: if request.auth != null;
allow read, update, delete: if request.auth != null && request.auth.uid == uid;
}
}
}
这将只允许经过身份验证的用户创建文档,但仅允许具有与数据库中的UID相同的身份验证UID的用户读取、更新和删除。
除了安全规则,我还建议您使用 Firebase App Check,这是一个额外的安全层,可以帮助您通过验证传入请求来自您的应用程序来保护对Firebase服务的访问。另一方面,它会阻止没有有效凭据的流量。
所以这是一种解决方案的混合。
英文:
> The security rules are allow read, write;
If you're using these settings it means that you allow anybody who knows your project ID to read/write to/from your database. Which is obviously bad, since malicious users can take advantage of it. It’s true that you can use these settings for a small amount of time for testing purposes, but never in a production environment.
The most important part when it comes to security rules is Firebase Authentication, meaning that you can allow access only to the users that are authenticated to perform operations in your database.
> In an attempt to improve this, I have added anonymous authentication to my project and modified the security rules to allow read, write: if request.auth != null;
These rules are better than the previous ones. However, it will allow anybody who knows your project ID and is authenticated to read/write to/from your database. If you want a more granular set of security rules, then you can use:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /users/{uid} {
allow create: if request.auth != null;
allow read, update, delete: if request.auth != null && request.auth.uid == uid;
}
}
}
This will allow only the authenticated users to create a document, but to read, update and delete only the ones who have the UID from the authentication the same as the one in the database.
Besides security rules, I also recommend you use Firebase App Check, which is an additional layer of security that can help you protect access to your Firebase services by attesting that incoming requests are coming from your app. On the other is blocking the traffic that doesn't have valid credentials.
So it's a mix of solutions.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论