duan2477 2014-01-19 05:17
浏览 121
已采纳

如何配置Firebase安全规则以仅允许来自CURL / PHP源的写入?

I want to create a security rule in Firebase to only allow a PHP script (via a CURL request) to write to a location.

I can read/write to Firebase using a PHP script when the security rules allow anyone with authentication to read/write by appending .json?auth=MYAPPTOKEN to the URL.

I am also able to include/exclude users using Simple Login from reading/writing to locations, so I think I have a basic handle on the security rules syntax/operation.

Now, I want to have a location in Firebase that is only writeable from my PHP file.

Security rules that I've tried: 

".write":"auth.secret == "MYTOKEN",
".write":"auth == "MYTOKEN",
".write":"auth.token == "MYTOKEN",

On the other side, I've tried modifying the .json?auth= in the request. Here's what I've tried:

$auth = array("token" => "MYTOKEN");
$auth = json_encode($auth);

Second Attempt:

$auth = json_encode("MYTOKEN");

And then replacing the .json?auth=MYTOKEN with .json?auth=$auth

So, how do I allow only that script to write to a location?

Thanks guys.

  • 写回答

1条回答 默认 最新

  • douyue7536 2014-01-19 18:33
    关注

    The basic principle is to only give your PHP script auth credentials that allow write, which I think you've basically captured.

    If MYTOKEN represents your Firebase secret (you probably shouldn't use this) then security rules are bypassed, because this token sets admin: true internally.

    Thus, you can just set your security rules to ".read": false, ".write": false, which will prevent access to anyone not using an admin token.

    If you have generating the token yourself, (which you probably should in this case) then you simply need to add a variable into the token, such as isMyPhpScript: true, that you can reference from your security rules.

    You can simulate tokens with no expiry by using a date many years into the future, so it works just like your secret, but still allows you to apply security restrictions:

    var FirebaseTokenGenerator = require("firebase-token-generator");
var tokenGenerator = new FirebaseTokenGenerator(YOUR_FIREBASE_SECRET);
var veryFarInFuture = Date.now() + 8e+14;
var token = tokenGenerator.createToken({ isMyPhpScript: true }, { expires: veryFarInFuture });

    Now in your rules you can write things like this:

    ".read": "auth.isMyPhpScript === true"

    If you want to create a custom token quickly without writing a script, you can use this fiddle I created for my own tinkering.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

  • 使用PHP执行cURL以发送推送通知 php
    2017-04-19 17:22
    回答 1 已采纳 Please use the below PHP Curl Request <?php $curl = curl_init(); curl_setopt_array($curl, ar
  • Firebase index.php node.js php
    2018-06-12 21:35
    回答 1 已采纳 Firebase hosting is for hosting static assets. PHP is executable, so it can't be used in Firebase
  • Firebase存储上传php php
    2018-04-12 08:01
    回答 1 已采纳 By using $_FILES['imageToUpload']['tmp_name'], you are using the temporary name of the uploaded im
  • firebase_model
    2021-03-19 01:24
    3. **Curl**:Firebase REST API通信可能需要Curl扩展,这是PHP的一个扩展库,允许PHP程序执行HTTP请求。在大多数服务器上,Curl通常是预装的,但如果你的环境缺少它,需要通过php-curl扩展进行安装。 4. **Laravel...
  • 来自firebase web api的Ios图像通知使用php ios php
    2017-05-03 04:02
    回答 2 已采纳 Check the word mutable-content in your JSON. Please set mutable_content instead of mutable-content
  • php中实现firebase:在firebase中查找令牌 database php
    2017-08-23 08:55
    回答 1 已采纳 1) DEFAULT_PATH Default path is your main project path. When you create new project on firebase.
  • Firebase + PHP - Cloud Firestore php
    2018-09-18 23:46
    回答 1 已采纳 you should use the google-cloud-php-firestore FirestoreClient, instead. because what you have the
  • PHp批量推送数据太慢,PHP非阻塞批量推送数据-php教程
    2021-04-08 13:05
    weixin_39561577的博客 明天看到论坛外面有人问如PHP何批量非梗阻向效劳器推送数据,这里大略总结下。相干保举:《PHP教程》一、最简略的方法:一个剧本同时跑屡次,用参数来跑指定范畴。如果要推送10000用户,能够每一100个用户运转一个...
  • Firebase数据库规则+身份验证无效 php
    2018-02-09 21:14
    回答 1 已采纳 As Frank mentioned in the comments, you must call setToken() in order to authenticate all subseque
  • 来自PHP MYSQL Server的Firebase推送通知在多个设备上不起作用 android mysql php
    2016-11-04 10:40
    回答 1 已采纳 As @Selvin said, I solved my problem using registration_ids instead of to .
  • 如何在Laravel 5中调用firebase / php-jwt类 php
    2015-12-15 05:23
    回答 2 已采纳 After installing it via composer then Add these two lines to your app.php 'J42\LaravelFirebase\
  • 渗透测试一些知识点
    2024-05-29 14:48
    网络安全技术分享地的博客 9、JWT格式在http://jwt.calebb.net/可以解密,前提是要知道秘钥,可以尝试构造任意数据,看他会不会有报错信息中携带秘钥信息,可以通过https://github.com/firebase/php-jwt生成JWT。此教程为纯技术分享!
  • src学习记录
    2022-08-20 21:18
    梅苑安全的博客 水平越权+存储型XSS批量盗取cookie=扩大危害功能点未授权、水平越权=敏感数据敏感信息敏感操作比如举报功能点的CSRF外链的SSRF外链的安全性,是否能发一些不良网站链接,刚好流量量很大的话。
  • go技术文章梳理(2018)
    2021-03-02 09:00
    NicolasLearner的博客 netcap:基于安全和可伸缩流量分析的框架 https://github.com/dreadl0ck/netcap gocn_news_2018-12-22 1. Go指针和内存分配详解 https://segmentfault.com/a/1190000017473672 2. sync.mutex 代码分析 ...
  • 项目(1)——某游戏*迎国庆活动
    2024-07-19 05:00
    大梁来了的博客 第五 相关性能优化考虑 网站的初始化配置信息,写入到了redis里面,如果后台对网站的配置信息进行了变动才更新该配置缓存,否则默认总是使用系统本身的redis 由于逻辑并不算复杂,直接用用户sid 和用户的roleId作为...
  • thinkphp 重构
    2021-02-23 08:47
    王道长的编程之路的博客 二、配置 在根目录下创建index.php入口文件测试: <?php namespace think; require __DIR__.'/vendor/autoload.php'; // 设置模板引擎参数 $config = [ // 模板文件目录 'view_path' => './template/', /...
  • 渗透测试中的小tips
    2021-11-03 17:36
    李白你好的博客 如:and 1 like 1 9、JWT格式在jwt.calebb.net/可以解密,前提是要知道秘钥,可以尝试构造任意数据,看他会不会有报错信息中携带秘钥信息,可以通过github.com/firebase/php生成JWT。 JWT格式header.payload....
  • Go学习路线
    2022-05-02 14:37
    kgduu的博客 properties - 用于读取和写入属性文件的库 scribeconf - Facebook Scribe 服务器配置文件解析器 汤姆: go-toml-config - 基于 TOML 的 Go 配置 go-toml - TOML 语言的 Go 库 gp-config - 具有基本和反射 API 的 ...
  • JWT介绍
    2020-04-29 15:30
    domorejojo的博客 文章目录JWT介绍传统跨域登陆认证的方式JWT的验证方式JWT的数据结构header 头部payload 载荷signature 签名base64UrlEncode 编码JWT 使用JWT 校验真伪JWT PHP库JWT Golang库总结 JWT介绍 JWT (音: jot ) 是目前最...
  • 没有解决我的问题, 去提问

悬赏问题

  • ¥15 乌班图ip地址配置及远程SSH
  • ¥15 怎么让点阵屏显示静态爱心,用keiluVision5写出让点阵屏显示静态爱心的代码,越快越好
  • ¥15 PSPICE制作一个加法器
  • ¥15 javaweb项目无法正常跳转
  • ¥15 VMBox虚拟机无法访问
  • ¥15 skd显示找不到头文件
  • ¥15 机器视觉中图片中长度与真实长度的关系
  • ¥15 fastreport table 怎么只让每页的最下面和最顶部有横线
  • ¥15 java 的protected权限 ,问题在注释里
  • ¥15 这个是哪里有问题啊?