问题
I understand that there are Realtime Database Rules which can be configured to restrict access to data at multiple levels. That's great.
What about hosting? Are 'Members Only' webpages secured exclusively by the Realtime Database Rules? In other words, the client side Javascript could look at the firebase.auth().currentUser; properties to determine what form, table, card, section, or whatever to switch from CSS display:none to display:inline, for example. However, the HTML is already downloaded to the client so that's not really secure.
So, is the idea to go ahead and download the page but use Realtime Database Rules to determine if the page details gets filled with sensitive data? Is that the idea?
I have even stored markup (HTML) in the Realtime Database and that actually worked fine.
Any recommendations are appreciated.
回答1:
Firebase Hosting doesn't have any kind of access control presently, and you're correct that the HTML/JS/CSS will all be downloaded even if you're hiding and showing it based on Firebase Auth state.
Depending on your application, that may actually be just fine! Since you can control what users actually do using Firebase Database security rules, it isn't really a big deal if users can dig into the code and see functionality that they can't actually utilize.
If it is important to hide the capabilities of the application, you could dynamically load JS/HTML from the database or Firebase Storage only after authorization.
来源:https://stackoverflow.com/questions/38650636/firebase-hosting-members-only-secured-webpages