如果我在我的应用程序中使用prod环境变量并为Firestore设置服务器端规则,我的应用程序是否完全安全地执行CRUD和身份验证?我之所以这样问是因为,我一直在看一些著名的YouTube内容创建者(Fireship)的Angular教程,它们不涉及服务器端代码,而仍然显示如何制作生产应用程序.所有教程仅使用Angular和一些库来生成应用程序和功能,但随后Google的控制台说不要公开API密钥.即使在生产环境变量中也仅使用客户端Angular可以公开私钥吗?
If I use the prod environment variables in my App and set the server side rules for Firestore, would my app be completely secure to perform CRUD and authentication? I am asking this because I have been seeing Angular tutorials by pretty famous YouTube content creators (Fireship) and they do not touch server side code and still show how to make a production applications. All the tutorials use only Angular and some libraries to produce the apps and features but then the console on Google says not to expose the API keys. Using only client side Angular even in production environment variables exposes the private keys right?
因此,简而言之,我应该在Firestore中使用Node to CRUD和Auth,还是控制台上的服务器端规则可以安全运行?
So in short, should I be using Node to CRUD and Auth with Firestore, or server-side rules on the console works safe?
推荐答案您在客户端上用来使其直接与Firebase服务通信的配置不包括私有API密钥.在过去的几年中,在各种论坛上已经对此进行了很多讨论.您看到的可能被标记为API密钥的东西实际上是公共信息.它可以帮助客户端库找到要处理的项目.您要隐藏的API密钥是那些可以直接访问其他计费服务(包括Google Cloud服务帐户)的API密钥.
The configuration that you use on the client to get it to communicate directly with Firebase services is does not include a private API key. Much has been said about this in various forums over the past few years. The thing you see that might be labeled an API key is actually public information. It helps the client library locate the project it's working against. The API keys you want to hide are those that exposed direct access to other billed services, including Google Cloud service accounts.
您可以使用安全规则来确定用户可以或不能使用存储在其中的数据来限制对Firebase后端服务(Cloud Firestore,实时数据库,云存储)的访问.如果您未正确执行此操作,则可能会遇到问题.
You limit access to Firebase backend services (Cloud Firestore, Realtime Database, Cloud Storage) using security rules to determine what a user can or can not do with the data stored in it. If you don't do this correctly, you could have problems.
是否要让客户端直接访问服务或让客户端使用您编写的某些中间件,应由其他原因决定,如这篇文章.
Whether or not you want to let the client access the services directly or make the client go through some middleware you write should be decided by other reasons, as discussed in this article.
更多推荐
仅通过客户端使用Firestore及其功能是否安全?
发布评论