问题
Building an app, using Firestore database for its content.
Rules are:
service cloud.firestore {
match /databases/{database}/documents {
// Allow public read access, but only content owners can write
match /{document=**} {
allow read: if true
allow write: if request.auth.uid == request.resource.data.author_uid
}
}
}
As the warning says, I have allow read just set to true, which I understand, is a problem.
How do I make it so my Flutter app can read the contents of my Firestore database, but any random user can't? The app is public/free...etc, so I don't want people to have to login.
Do I give my app some kind of code and check against that? Or...?
Update: I see that there is anonymous login, which could solve the issue, but is that overkill? Does it actually help? Will it then keep my app from being used offline? ...etc
回答1:
There is no way to secure access based on it being your app, or your code. That's simply not how security works with cloud based services. If you want to limit access to legitimate users of your app, you will have to sign those users in and somehow legitimize them.
What legitimate means here is up to you of course. Whether that is "they are signed in" (request.auth != null), or that they verified their email address so you can contact them (request.auth.token. email_verified == true), or one of the many other options, it's all possible.
Also see:
- Locking down Firebase DB access to specific apps (which includes many more links)
- How to make firebase storage only available to users of the app
- Restrict firebase access to a single android app without authentication (again with more links)
- How do I prevent un-authorized access to my Firebase Database? (probably the oldest answer on the topic)
回答2:
In the Rules Section of the Database, try to code them like, if the user is logged in then he will have access. Follow this link for more info.
来源:https://stackoverflow.com/questions/59762971/your-cloud-firestore-database-has-insecure-any-user-can-read-your-entire-databa