问题
I'm building an application using AngularFire + Firebase.
To prevent new users from being created, and authenticated, from domains other than my application's domain, I'm trying to use the Authorized Request Origins feature in Firebase.
Currently, it is only configured to allow authentication from localhost. However, when I create a new user using the createUser API from my application's domain, the user gets created in my Firebase.
This should not happen since I used "err" from createUser is null.
Is there anything else I need to configure?
回答1:
[Engineer at Firebase] The authorized request origins is actually only applicable to the OAuth-based authentication providers (i.e. Facebook, Twitter, and GitHub) though your confusion is definitely warranted given our current interface. E-mail and password authentication is not subject to the same origin verification because it is not vulnerable to a malicious site taking advantage of an existing login on Facebook, Twitter, etc.
Keep it mind that email / password authentication only creates a mapping of an email address to a password hash, and generates a corresponding Firebase authentication token upon login. It does not read or write any data to / from your Firebase, and your Firebase is still subject to the same security rules that you've written for your application. Feel free to reach out to support@firebase.com if you have other concerns, or we can help out in any way.
来源:https://stackoverflow.com/questions/19058176/authorized-request-origins-is-not-restricting-domain-access-in-firebase