发表新帖
发表新帖

How to setup Firebase security rules to accept connections only from an iOS App

前端 未结
关注
1 1403
借酒劲吻你
借酒劲吻你 2020-12-18 17:24

I want to configure a Firebase database so that it only accepts connections from my iOS App.

I have no problem in configuring rules to manage access from authenticat

相关标签:
1条回答
  • 予麋鹿
    2020-12-18 17:32

    If I understand the question correctly, the criteria are as follows:

    1. You offer a purchasable app that provides access to premium data
    2. Only paid customers should be able to read that data
    3. It is possible for users to log in with FirebaseSimpleLogin without downloading your app
    4. You would like to prevent this

    Assuming all of this is correct, I see two quick answers:

    Create your own auth tokens

    Since FirebaseSimpleLogin is available from in the cloud, you won't be able to prevent users from authenticating based on device. But FirebaseSimpleLogin is just a wrapper on the token generator, so nothing stops you from generating your own.

    #!/usr/bin/env node

var FirebaseTokenGenerator = require("firebase-token-generator");
var tokenGenerator = new FirebaseTokenGenerator(YOUR_FIREBASE_SECRET);

if( validateUserIsFromiOSApp() ) {
   var token = tokenGenerator.createToken({id: userId});
}

function validateUserIsFromiOSApp() { /* ??? */ }

    Now one can simply turn off simple login and users will have no way to authenticate without first obtaining a valid token from your service. Security rules here are proprietary, but would contain something like this:

    ".read": "auth.uid !== null"

    With some creativity, depending on the use case for requiring twitter/facebook auth, you might be able to bypass the entire auth process by simply having the app request a token when it registers and never forcing the user to authenticate at all.

    Using some meta data in conjunction with simple login

    Of course, simple login is by definition simple, and does not require a server process. You could utilize this by storing information about which users have purchased your app:

    1. user purchases app from store
    2. during receipt of transaction, you store user id and purchase record in Firebase
    3. use simple login auth as normal
    4. add a security rule to ensure user has purchased the app

    The security rule would look something like this:

    ".read": "root.child('purchase_receipts/'+auth.uid).exists()"

    Additional reading:

    • Security rules
    • Simple login
    • Custom auth tokens
    0 讨论(0)
 看不清?
提交回复
热议问题