duan2477 2014-01-19 05:17
浏览 121
已采纳

如何配置Firebase安全规则以仅允许来自CURL / PHP源的写入?

I want to create a security rule in Firebase to only allow a PHP script (via a CURL request) to write to a location.

I can read/write to Firebase using a PHP script when the security rules allow anyone with authentication to read/write by appending .json?auth=MYAPPTOKEN to the URL.

I am also able to include/exclude users using Simple Login from reading/writing to locations, so I think I have a basic handle on the security rules syntax/operation.

Now, I want to have a location in Firebase that is only writeable from my PHP file.

Security rules that I've tried: 

".write":"auth.secret == "MYTOKEN",
".write":"auth == "MYTOKEN",
".write":"auth.token == "MYTOKEN",

On the other side, I've tried modifying the .json?auth= in the request. Here's what I've tried:

$auth = array("token" => "MYTOKEN");
$auth = json_encode($auth);

Second Attempt:

$auth = json_encode("MYTOKEN");

And then replacing the .json?auth=MYTOKEN with .json?auth=$auth

So, how do I allow only that script to write to a location?

Thanks guys.

  • 写回答

1条回答 默认 最新

  • douyue7536 2014-01-19 18:33
    关注

    The basic principle is to only give your PHP script auth credentials that allow write, which I think you've basically captured.

    If MYTOKEN represents your Firebase secret (you probably shouldn't use this) then security rules are bypassed, because this token sets admin: true internally.

    Thus, you can just set your security rules to ".read": false, ".write": false, which will prevent access to anyone not using an admin token.

    If you have generating the token yourself, (which you probably should in this case) then you simply need to add a variable into the token, such as isMyPhpScript: true, that you can reference from your security rules.

    You can simulate tokens with no expiry by using a date many years into the future, so it works just like your secret, but still allows you to apply security restrictions:

    var FirebaseTokenGenerator = require("firebase-token-generator");
var tokenGenerator = new FirebaseTokenGenerator(YOUR_FIREBASE_SECRET);
var veryFarInFuture = Date.now() + 8e+14;
var token = tokenGenerator.createToken({ isMyPhpScript: true }, { expires: veryFarInFuture });

    Now in your rules you can write things like this:

    ".read": "auth.isMyPhpScript === true"

    If you want to create a custom token quickly without writing a script, you can use this fiddle I created for my own tinkering.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 微信小程序协议怎么写
  • ¥15 c语言怎么用printf(“\b \b”)与getch()实现黑框里写入与删除?
  • ¥20 怎么用dlib库的算法识别小麦病虫害
  • ¥15 华为ensp模拟器中S5700交换机在配置过程中老是反复重启
  • ¥15 java写代码遇到问题,求帮助
  • ¥15 uniapp uview http 如何实现统一的请求异常信息提示?
  • ¥15 有了解d3和topogram.js库的吗?有偿请教
  • ¥100 任意维数的K均值聚类
  • ¥15 stamps做sbas-insar,时序沉降图怎么画
  • ¥15 买了个传感器,根据商家发的代码和步骤使用但是代码报错了不会改,有没有人可以看看