英文:
Is it possible to use request.auth in firestore security rules when using a session cookie for authorization?
问题
This uses request.auth to check if the requesting user is authenticated. However, this rule fails when I use a sessionCookie for authorization, as described here.
Is it impossible to use request.auth when using a session cookie? Perhaps that's what's meant by
For security reasons, Firebase session cookies cannot be used with other Firebase services due to their custom validity period, which can be set to the maximum duration of 2 weeks.
英文:
Consider the following Firestore Security rules
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if request.auth != null;
}
}
}
This uses request.auth to check if the requesting user is authenticated. However, this rule fails when I use a sessionCookie for authorization, as described here.
Is it impossible to use request.auth when using a session cookie? Perhaps that's what's meant by
> For security reasons, Firebase session cookies cannot be used with other Firebase services due to their custom validity period, which can be set to the maximum duration of 2 weeks.
答案1
得分: 1
"使用会话cookie时使用request.auth是否不可能?\n\n是的,不可能。 会话cookie是在前端和后端之间传递数据的一种方式,而不是在前端和Firebase后端之间传递数据的方式。 Firebase SDK处理将身份验证令牌传输到Firebase服务的实现。"
英文:
> Is it impossible to use request.auth when using a session cookie?
It is impossible. Session cookies are a way for passing data between your frontend and your backend, not between your frontend and Firebase backends. The Firebase SDKs handle the implementation of transfer of auth tokens to Firebase services.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论