问题
Say I have data like so:
users{
$authId: {
name:"",
propertiesById:{
uniqueId1:true,
uniqueId2:true
}
}
},
properties:{
uniqueId1:{
key:val
},
uniqueId2:{
key:val
}
}
Assuming that I have the proper rules in place for users to be able to only read/write their own user object, how do I go about reading my properties safely?
I know that in rules, I can go to root, find the user object and ensure that the property that I'm trying to read exists in the propertiesById, but that seems like it would impact performance since these will be very large collections of properties.
How would I, if at all possible, go about writing a rule that says: "users cannot grab the entire properties collection, only individually by key". Also, if I were able to write this rule, would it be safe? I'm unclear on difficult it would be to guess the keys generated by firebase push().
回答1:
While Firebase push IDs are hard to guess, they are definitely guessable. You should not rely on the user not being able to guess a push ID for security.
Given that though, it is very easy to do precisely that:
{
"rules": {
"properties": {
"$uniqueId": {
".read": true,
".write": true
}
}
}
}
These rules allow any user to read any specific property, as long as they know that property exists. So no-one can read /properties, but everyone can read /properties/uniqueId1 and /properties/uniqueId2.
But again: this is not secure as push IDs are at some level reasonably guessable.
From the Firebase blog post explaining push IDs:
We also get questions on whether developers can rely on push IDs to be unguessable by others, which can be important if you're trying to do security via unguessable Firebase paths. While push IDs are generally very hard to guess, if you’re relying on unguessable IDs you should generate them yourself using a more secure mechanism.
来源:https://stackoverflow.com/questions/43129379/are-firebase-object-keys-guessable