請參閱本指南,瞭解設定中常見的安全漏洞、檢查並加強保護自己的規則,以及在部署變更前進行測試。Firebase Security Rules
如果收到資料未妥善保護的快訊,請檢查這些常見錯誤,並更新任何有安全漏洞的規則。
存取 Firebase Security Rules
如要查看現有的 Rules,請使用 Firebase CLI 或 Firebase 控制台。請務必使用相同方法編輯規則,以免不小心覆寫更新。如果不確定本機定義的規則是否反映最新更新,Firebase 控制台一律會顯示最新部署的 Firebase Security Rules 版本。
如要從 Firebase 控制台存取規則,請選取專案,然後前往 Realtime Database、Cloud Firestore 或「Storage」。進入正確的資料庫或儲存空間 bucket 後,按一下「規則」。
如要透過 Firebase CLI 存取規則,請前往firebase.json 檔案中註明的規則檔案。
瞭解 Firebase Security Rules
Firebase Security Rules保護資料,避免遭到惡意使用者侵擾。在 Firebase 控制台中建立資料庫執行個體或 Cloud Storage bucket 時,您可以選擇拒絕所有使用者存取 (鎖定模式),或是授予所有使用者存取權 (測試模式)。雖然您可能希望在開發期間採用較開放的設定,但請務必花時間正確設定規則並保護資料,再部署應用程式。
開發應用程式並測試規則的不同設定時,請使用其中一個本機 Firebase 模擬器,在本機開發環境中執行應用程式。
安全性偏低的規則常見情境
部署應用程式前,請先檢查並更新您可能預設設定或在開發應用程式時使用的 Rules。請避免下列常見錯誤,確保使用者資料受到妥善保護。
公開存取
設定 Firebase 專案時,您可能已將規則設為在開發期間允許開放存取。您可能以為只有自己會使用應用程式,但只要部署應用程式,網路上任何人都能存取。如果您未驗證使用者身分及設定安全規則,任何猜出專案 ID 的人都能竊取、修改或刪除資料。
  
    | 不建議:所有使用者都擁有讀取和寫入權限。 
  
  Cloud Firestore// Allow read/write access to all users under any conditions
// Warning: **NEVER** use this ruleset in production; it allows
// anyone to overwrite your entire database.
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if true;
    }
  }
}Realtime Database{
  // Allow read/write access to all users under any conditions
  // Warning: **NEVER** use this ruleset in production; it allows
  // anyone to overwrite your entire database.
  "rules": {
    ".read": true,
    ".write": true
  }
}
    Cloud Storage// Anyone can read or write to the bucket, even non-users of your app.
// Because it is shared with App Engine, this will also make
// files uploaded using App Engine public.
// Warning: This rule makes every file in your Cloud Storage bucket accessible to any user.
// Apply caution before using it in production, since it means anyone
// can overwrite all your files.
service firebase.storage {
  match /b/{bucket}/o {
    match /{allPaths=**} {
      allow read, write;
    }
  }
}
     | 
  
    | 解決方案:限制讀寫權限的規則。 建立符合資料階層的規則。其中一項常見的做法是建立以使用者為基礎的安全防護機制,並搭配使用 Firebase Authentication。進一步瞭解如何使用規則驗證使用者。 
  
  Cloud Firestore僅限內容擁有者service cloud.firestore {
  match /databases/{database}/documents {
    // Allow only authenticated content owners access
    match /some_collection/{document} {
      // Allow reads and deletion if the current user owns the existing document
      allow read, delete: if request.auth.uid == resource.data.author_uid;
      // Allow creation if the current user owns the new document
      allow create: if request.auth.uid == request.resource.data.author_uid;
      // Allow updates by the owner, and prevent change of ownership
      allow update: if request.auth.uid == request.resource.data.author_uid
                    && request.auth.uid == resource.data.author_uid;
    }
  }
}
  混合公開和私人存取權service cloud.firestore {
  match /databases/{database}/documents {
    // Allow public read access, but only content owners can write
    match /some_collection/{document} {
      // Allow public reads
      allow read: if true
      // Allow creation if the current user owns the new document
      allow create: if request.auth.uid == request.resource.data.author_uid;
      // Allow updates by the owner, and prevent change of ownership
      allow update: if request.auth.uid == request.resource.data.author_uid
                    && request.auth.uid == resource.data.author_uid;
      // Allow deletion if the current user owns the existing document
      allow delete: if request.auth.uid == resource.data.author_uid;
    }
  }
}
  Realtime Database僅限內容擁有者{
  "rules": {
    "some_path": {
      "$uid": {
        // Allow only authenticated content owners access to their data
        ".read": "auth !== null && auth.uid === $uid",
        ".write": "auth !== null && auth.uid === $uid"
      }
    }
  }
}
    混合公開和私人存取權{
  // Allow anyone to read data, but only authenticated content owners can
  // make changes to their data
  "rules": {
    "some_path/$uid": {
      ".read": true,
      // or ".read": "auth.uid !== null" for only authenticated users
      ".write": "auth.uid === $uid"
    }
  }
}
    Cloud Storage僅限內容擁有者// Grants a user access to a node matching their user ID
service firebase.storage {
  match /b/{bucket}/o {
    // Files look like: "user/<UID>/file.txt"
    match /user/{userId}/{fileName} {
      allow read, write: if request.auth.uid == userId;
    }
  }
}混合公開和私人存取權service firebase.storage {
  match /b/{bucket}/o {
    // Files look like: "user/<UID>/file.txt"
    match /user/{userId}/{fileName} {
      allow read;
      allow write: if request.auth.uid == userId;
    }
  }
}
   | 
任何已驗證的使用者都能存取
有時,Rules 會檢查使用者是否已登入,但不會根據該驗證進一步限制存取權。如果其中一項規則包含 auth != null,請確認您是否要允許任何已登入的使用者存取資料。
  
    | 不建議:任何登入的使用者都能讀取及寫入整個資料庫。 
  
  Cloud Firestoreservice cloud.firestore {
  match /databases/{database}/documents {
    match /some_collection/{document} {
      allow read, write: if request.auth.uid != null;
    }
  }
}Realtime Database{
  "rules": {
    ".read": "auth.uid !== null",
    ".write": "auth.uid !== null"
  }
}Cloud Storage// Only authenticated users can read or write to the bucket
service firebase.storage {
  match /b/{bucket}/o {
    match /{allPaths=**} {
      allow read, write: if request.auth != null;
    }
  }
} | 
  
    | 解決方案:使用安全條件縮減存取權。 檢查驗證狀態時,您可能也會想使用其中一個驗證屬性,進一步限制特定使用者存取特定資料集。進一步瞭解不同的驗證屬性。 
  
  Cloud Firestore角色存取權service cloud.firestore {
  match /databases/{database}/documents {
    // Assign roles to all users and refine access based on user roles
    match /some_collection/{document} {
     allow read: if get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role == "Reader"
     allow write: if get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role == "Writer"
     // Note: Checking for roles in your database using `get` (as in the code
     // above) or `exists` carry standard charges for read operations.
    }
  }
}以屬性為準的存取權// Give each user in your database a particular attribute
// and set it to true/false
// Then, use that attribute to grant access to subsets of data
// For example, an "administrator" attribute set
// to "true" grants write access to data
service cloud.firestore {
  match /databases/{database}/documents {
    match /some_collection/{document} {
      allow write: if get(/databases/$(database)/documents/users/$(request.auth.uid)).data.admin == true;
      allow read: true;
    }
  }
}
  混合公開和私人存取權service cloud.firestore {
  match /databases/{database}/documents {
    // Allow public read access, but only content owners can write
    match /some_collection/{document} {
      allow read: if true
      allow write: if request.auth.uid == request.resource.data.author_uid
    }
  }
}
  Realtime Database僅限內容擁有者{
  "rules": {
    "some_path": {
      "$uid": {
        // Allow only authenticated content owners access to their data
        ".read": "auth.uid === $uid",
        ".write": "auth.uid === $uid"
      }
    }
  }
}
    路徑劃分存取權{
  "rules": {
    "some_path/$uid": {
      ".write": "auth.uid === $uid",
      // Create a "public" subpath in your dataset
      "public": {
        ".read": true
        // or ".read": "auth.uid !== null"
      },
      // Create a "private" subpath in your dataset
      "private": {
        ".read": "auth.uid === $uid"
      }
    }
  }
}
    混合公開和私人存取權{
  // Allow anyone to read data, but only authenticated content owners can
  // make changes to their data
  "rules": {
    "some_path/$uid": {
      ".read": true,
      // or ".read": "auth.uid !== null" for only authenticated users
      ".write": "auth.uid === $uid"
    }
  }
}
    Cloud Storage群組存取權// Allow reads if the group ID in your token matches the file metadata `owner` property
// Allow writes if the group ID is in the user's custom token
match /files/{groupId}/{fileName} {
  allow read: if resource.metadata.owner == request.auth.token.groupId;
  allow write: if request.auth.token.groupId == groupId;
}僅限內容擁有者// Grants a user access to a node matching their user ID
service firebase.storage {
  match /b/{bucket}/o {
    // Files look like: "user/<UID>/file.txt"
    match /user/{userId}/{fileName} {
      allow read, write: if request.auth.uid == userId;
    }
  }
}混合公開和私人存取權service firebase.storage {
  match /b/{bucket}/o {
    // Files look like: "user/<UID>/file.txt"
    match /user/{userId}/{fileName} {
      allow read;
      allow write: if request.auth.uid == userId;
    }
  }
}
   | 
(Realtime Database) 規則繼承不當
Realtime Database Security Rules 級聯,較淺層級的父路徑規則會覆寫較深層級的子節點規則。在子節點撰寫規則時,請注意規則只能授予額外權限。您無法在資料庫的更深層路徑中,調整或撤銷資料存取權。
  
    | 不建議:在子路徑中修正規則 {
  "rules": {
     "foo": {
        // allows read to /foo/*
        ".read": "data.child('baz').val() === true",
        "bar": {
          /* ignored, since read was allowed already */
          ".read": false
        }
     }
  }
} | 
封閉測試
開發應用程式時,另一種常見做法是鎖定資料。通常這表示您已對所有使用者關閉讀取和寫入存取權,如下所示:
  
  Cloud Firestore
// Deny read/write access to all users under any conditions
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if false;
    }
  }
}
      
   
    Realtime Database
    {
  "rules": {
    ".read": false,
    ".write": false
  }
}
    
   
   
  Cloud Storage
    // Access to files through Cloud Storage is completely disallowed.
// Files may still be accessible through App Engine or Google Cloud Storage APIs.
service firebase.storage {
  match /b/{bucket}/o {
    match /{allPaths=**} {
      allow read, write: if false;
    }
  }
}
    
    
   
Firebase Admin SDK 和 Cloud Functions 仍可存取資料庫。如果您打算搭配 Firebase Admin SDK,將 Cloud Firestore 或 Realtime Database 做為僅限伺服器的後端,請使用這些規則。雖然安全無虞,但您應測試應用程式用戶端是否能正確擷取資料。
如要進一步瞭解 Cloud Firestore Security Rules 和運作方式,請參閱「開始使用 Cloud Firestore Security Rules」。
測試 Cloud Firestore Security Rules
如要檢查應用程式的行為並驗證 Cloud Firestore Security Rules 設定,請使用 Firebase Emulator。在部署任何變更之前,請先使用 Cloud Firestore 模擬器在本機環境中執行及自動化單元測試。
如要在 Firebase 控制台中快速驗證 Firebase Security Rules,請使用 Firebase 規則模擬器。