duan2477 2014-01-19 05:17
浏览 121
已采纳

如何配置Firebase安全规则以仅允许来自CURL / PHP源的写入?

I want to create a security rule in Firebase to only allow a PHP script (via a CURL request) to write to a location.

I can read/write to Firebase using a PHP script when the security rules allow anyone with authentication to read/write by appending .json?auth=MYAPPTOKEN to the URL.

I am also able to include/exclude users using Simple Login from reading/writing to locations, so I think I have a basic handle on the security rules syntax/operation.

Now, I want to have a location in Firebase that is only writeable from my PHP file.

Security rules that I've tried:

".write":"auth.secret == "MYTOKEN",
".write":"auth == "MYTOKEN",
".write":"auth.token == "MYTOKEN",

On the other side, I've tried modifying the .json?auth= in the request. Here's what I've tried:

$auth = array("token" => "MYTOKEN");
$auth = json_encode($auth);

Second Attempt:

$auth = json_encode("MYTOKEN");

And then replacing the .json?auth=MYTOKEN with .json?auth=$auth

So, how do I allow only that script to write to a location?

Thanks guys.

  • 写回答

1条回答 默认 最新

  • douyue7536 2014-01-19 18:33
    关注

    The basic principle is to only give your PHP script auth credentials that allow write, which I think you've basically captured.

    If MYTOKEN represents your Firebase secret (you probably shouldn't use this) then security rules are bypassed, because this token sets admin: true internally.

    Thus, you can just set your security rules to ".read": false, ".write": false, which will prevent access to anyone not using an admin token.

    If you have generating the token yourself, (which you probably should in this case) then you simply need to add a variable into the token, such as isMyPhpScript: true, that you can reference from your security rules.

    You can simulate tokens with no expiry by using a date many years into the future, so it works just like your secret, but still allows you to apply security restrictions:

    var FirebaseTokenGenerator = require("firebase-token-generator");
    var tokenGenerator = new FirebaseTokenGenerator(YOUR_FIREBASE_SECRET);
    var veryFarInFuture = Date.now() + 8e+14;
    var token = tokenGenerator.createToken({ isMyPhpScript: true }, { expires: veryFarInFuture });
    

    Now in your rules you can write things like this:

    ".read": "auth.isMyPhpScript === true"
    

    If you want to create a custom token quickly without writing a script, you can use this fiddle I created for my own tinkering.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 onlyoffice编辑完后立即下载,下载的不是最新编辑的文档
  • ¥15 求caverdock使用教程
  • ¥15 Coze智能助手搭建过程中的问题请教
  • ¥15 12864只亮屏 不显示汉字
  • ¥20 三极管1000倍放大电路
  • ¥15 vscode报错如何解决
  • ¥15 前端vue CryptoJS Aes CBC加密后端java解密
  • ¥15 python随机森林对两个excel表格读取,shap报错
  • ¥15 基于STM32心率血氧监测(OLED显示)相关代码运行成功后烧录成功OLED显示屏不显示的原因是什么
  • ¥100 X轴为分离变量(因子变量),如何控制X轴每个分类变量的长度。