// docs / baas security / firebase rules scanner
Sikana iwu Firebase: chọta Firestore, Realtime Database, na iwu Nchekwa mepere emepe
Ngwa Firebase na-ada nchekwa n'otu ụzọ kwekọrọ: iwu <code>allow read, write: if true;</code> hapụrụ na quickstart ọnọdụ ule, na-anaghị anọchi ya tupu mmepụta. Ngwa ihe nkuzi koodu AI na-emepụta iwu ndị a kpọmkwem site na ihe atụ akwụkwọ ma na-ekpughere onye mmepe ka o welie ha. Edemede a na-egosi otu sikana iwu Firebase si achọta iwu mepere emepe gafee Firestore, Realtime Database, na Cloud Storage site n'èzí ọrụ — na otu esi edozi ihe ọ chọtara.
Otu sikana si achọta iwu Firebase mepere emepe
Ọrụ Firebase na-ekpughe ọdịdị URL amaara ama, nke ekwere n'amụma. Sikana enweghị nkwenye nwere ike ịnwale nke ọ bụla ma hụ ma ọgụgụ enweghị aha na-aga nke ọma. Nyocha FixVibe baas.firebase-rules na-agba na nyocha atọ na-anọpụ iche — otu kwa ọrụ Firebase:
- <strong>Firestore.</strong> The scanner extracts the project ID from the deployed app's bundle (it's in <code>firebase.initializeApp({ projectId: ... })</code>), then issues <code>GET https://firestore.googleapis.com/v1/projects/[project-id]/databases/(default)/documents/[collection]:listDocuments</code> against common collection names. A <code>200 OK</code> with documents in the response means <code>allow read</code> is permissive.
- Realtime Database. Sikana na-anwale
https://[project-id]-default-rtdb.firebaseio.com/.json. Ọ bụrụ na enwere ike ịgụ mgbọrọgwụ ahụ na-enweghị aha, azịza bụ osisi ọdụ data zuru ezu dị ka JSON. Nyocha kacha mma na-arịọ.json?shallow=true, nke na-eweghachi naanị igodo elu-larịị — nchọpụta ụzọ ọ bụla. - Cloud Storage. Sikana na-arịọ
https://firebasestorage.googleapis.com/v0/b/[project-id].appspot.com/o. Ọ bụrụ na azịza na-edepụta aha faịlụ na-enweghị njirimara, enwere ike ịdepụta bọket ahụ anon. Nchekwa enwere ike ịdepụta bụ nchọpụta ọbụlagodi mgbe a na-ajụ mbudata faịlụ ọ bụla — ndị na-awakpo na-edepụta bọket iji chọta aha enwere ike ịkọ.
Ihe ụkwụ ọnọdụ ule yiri
Akwụkwọ quickstart Firebase gụnyere otu n'ime ngọngọ iwu kacha emepụta na ịntanetị:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if true;
}
}
}Firebase na-agbakwunyebu njedebe akpaghị aka nke ụbọchị 30 na iwu ndị a. Nke ahụ gbanwere: taa iwu na-adịgide ruo mgbe niile ma ọ bụrụ na onye mmepe agbanweghị ha. Ngwa ihe nkuzi koodu AI — ebe ha zụrụ na akwụkwọ kwa afọ nke gụnyere ngọngọ ọnọdụ ule — na-emepụta ya kpọmkwem na-agwa onye mmepe "nke a bụ iwu nchekwa gị." Ọ bụghị.
Ụdị ndị ọzọ nke na-egosi na mmepụta mana otu ụdị enye ohere:
// future-date variant — equivalent to "if true" allow read, write: if request.time < timestamp.date(2099, 1, 1); // authenticated-user variant — any signed-in user reads and writes anything allow read: if true; allow write: if request.auth != null; // any-auth variant — any signed-in user owns every document allow read, write: if request.auth != null;
- Ụdị akara-oge n'ihu: iwu na-enye ihe niile ohere ruo ụbọchị dị anya n'ihu. Ọ dịghị mgbe na-ada n'ezie (hụ ngọngọ akara akpọkwa n'elu).
allow read: if true; allow write: if request.auth != null;— ọgụgụ ọha, onye ọrụ ọ bụla nwere njirimara nwere ike ide.allow read, write: if request.auth != null;— onye ọrụ ọ bụla bata nwere ike ịgụ ma ọ bụ dee akwụkwọ ọ bụla, gụnyere data ndị ọrụ ndị ọzọ.
Ihe ị ga-eme mgbe sikana chọtara iwu mepere emepe
Iwu Firebase mepere emepe bụ ihe ngwa ngwa mgbe ọ na-agba ọsọ. Ndozi bụ otu ọdịdị gafee ọrụ atọ ahụ: kọwapụta iwu ọ bụla na request.auth.uid megide ogidi onye nwe ya. Ọrụ ọ bụla nwere usoro iwu nke ya:
Firestore
match /users/{userId} { allow read, write: if request.auth != null && request.auth.uid == userId; }. Njikọ akụkụ-ụzọ {userId} na-aghọ naanị akwụkwọ onye ọrụ nwere ike imetụ aka.
match /users/{userId} {
allow read, write: if request.auth != null
&& request.auth.uid == userId;
}Realtime Database
<code>{ "rules": { "users": { "$uid": { ".read": "$uid === auth.uid", ".write": "$uid === auth.uid" } } } }</code>. The <code>$uid</code> wildcard captures the path segment for comparison.
{
"rules": {
"users": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}Cloud Storage
service firebase.storage { match /b/{bucket}/o { match /users/{userId}/{allPaths=**} { allow read, write: if request.auth.uid == userId; } } }. Mkpebi: debe faịlụ n'okpuru users/[uid]/[filename] ma hapụ ụzọ ka ọ manye ikike.
service firebase.storage {
match /b/{bucket}/o {
match /users/{userId}/{allPaths=**} {
allow read, write: if request.auth.uid == userId;
}
}
}Buga iwu site na Firebase CLI: firebase deploy --only firestore:rules, firebase deploy --only database, firebase deploy --only storage. Kwado na iwu ọhụrụ dị na mmepụta site n'ịgba nyocha FixVibe ọzọ — nchọpụta baas.firebase-rules ga-ehichapụ.
firebase deploy --only firestore:rules
firebase deploy --only database
firebase deploy --only storageEtu nke a si atụnyere ngwá ọrụ etinyere Firebase
Firebase Console na-egosi gị iwu ugbu a mana adịghị nyocha ya megide omume mgbe ọ na-agba ọsọ. Simulator iwu Firebase na-enye gị ohere ịnwale mgbagwoju iwu megide arịrịọ emechara — bara uru mana mpaghara. Ọ dịghị ngwá ọrụ na-agwa gị ihe iwu mmepụta gị n'ezie na-eweghachi onye na-awakpo na-enweghị aha na ịntanetị ọha. Sikana èzí dị ka FixVibe (ma ọ bụ Burp Suite na nhazi aka) bụ naanị ihe na-anwale site n'otu akụkụ onye na-awakpo ga. App Check Google n'onwe ya na-ebelata ojoo mana ọ naghị anọchi maka iwu kọwapụtara nke ọma.
Ajụjụ a na-ajụkarị
Sikana ọ na-agụ ma ọ bụ gbanwee data Firestore m?
Nyocha na-anaghị eme ihe na-enye opekata mpe otu ọgụgụ na-enweghị aha kwa ọrụ iji kwado ma iwu na-enye ya ohere. Sikana na-edekọ ọdịdị azịza na ọnụnọ data — ọ dịghị peejị, ọ dịghị edepụta akwụkwọ, ma ọ dịghị ede. Nyocha ide na-eche n'okpuru nkwenye ngalaba nwetara ma ọ dịghị mgbe na-agba megide ihe e nwetabeghị nkwenye.
Gịnị ma ọ bụrụ na ọrụ Firebase m na-eji App Check?
App Check na-ajụ arịrịọ enweghị nkwenye na 403. Sikana enweghị token App Check ga-ahụ 403 na nyocha ọ bụla — nke bụ azịza ziri ezi. App Check abụghị ihe nnọchi maka izi ezi iwu (token App Check ezuru ohi gbakwunyere iwu mepere emepe ka na-ezigara data), mana ọ na-egbochi nyocha èzí ohere.
Sikana ọ nwere ike ịchọta nhazi adịghị mma iwu nke akụkụ (ọgụgụ mepere emepe, ide mechiri emechi)?
Ee — a na-anwale iwu ọ bụla (allow read, allow write) iche iche. Nyocha ọgụgụ-naanị nke gara nke ọma na 200 OK na-akọ nchọpụta ọgụgụ mepere emepe ọbụlagodi mgbe a jụrụ ide. Nchọpụta abụọ ahụ dị iche: mwepụ data na mmegharị data bụ ihe egwu dị iche.
Nke a ọ na-arụ ọrụ maka ngwa Firebase ebugara n'okpuru ngalaba omenala?
Ee. Sikana na-ewepụta ID ọrụ Firebase na ngwakọta ezigara, ọ bụghị na ngalaba. Ngalaba omenala, subdomain app.web.app, na ngwa Firebase nke onwe na-arụ otu ọrụ ma ọ bụrụ na ngwakọta JavaScript ruru.
Nzọụkwụ na-esote
Gbaa nyocha FixVibe efu megide URL mmepụta gị — nyocha baas.firebase-rules na-eziga na atụmatụ ọ bụla ma na-egosi iwu mepere emepe gafee Firestore, Realtime Database, na Cloud Storage. Maka nkọwa miri emi maka ụdị allow read, write: if true n'onwe ya, hụ Firebase allow read, write: if true akọwapụtara. Maka echiche zuru ezu gafee Supabase, Firebase, Clerk, na Auth0, gụọ Sikana nhazi adịghị mma BaaS.