以下是我们在 I/O 大会上宣布的所有内容,从新的 Firebase Studio 功能到集成 AI 的更多方式,内容非常丰富。
阅读博客。
安全规则和 Firebase Authentication
使用集合让一切井井有条
根据您的偏好保存内容并对其进行分类。
Firebase Security Rules 以支持多种复杂程度的格式提供访问权限控制和数据验证服务。如需构建基于用户和基于角色的访问权限系统以确保用户数据安全无虞,请配合使用 Firebase Authentication 和 Firebase Security Rules。
识别用户
Authentication 可识别请求访问您的数据的用户,并以变量的形式(您可在规则中利用)提供信息。auth 变量包含以下信息:
uid:分配给请求用户的唯一身份用户 ID。token: Authentication 收集的值的映射。
auth.token 变量包含以下值:
| 字段 |
说明 |
email |
与账号关联的电子邮件地址(如果存在)。 |
email_verified |
如果用户已验证他们可以访问 email 地址,则为 true。某些提供方会自动验证他们拥有的电子邮件地址。 |
phone_number |
与账号关联的电话号码(如果有)。 |
name |
用户的显示名(如果已设置)。 |
sub |
用户的 Firebase UID。此 UID 在项目中是唯一的。 |
firebase.identities |
与此用户账号关联的所有身份的字典。字典的键可以是以下任一值:email、phone、google.com、facebook.com、github.com、twitter.com。字典的值是与账号关联的每个身份提供方的唯一标识符的数组。例如,auth.token.firebase.identities["google.com"][0] 包含与该账号关联的第一个 Google 用户 ID。 |
firebase.sign_in_provider |
用于获取此令牌的登录服务提供方。可以是以下任一字符串:custom、password、phone、anonymous、google.com、facebook.com、github.com、twitter.com。 |
firebase.tenant |
与账号关联的租户 ID(如有)。例如 tenant2-m6tyz |
如果您要添加自定义身份验证属性,auth.token 变量还会包含您指定的所有自定义声明。
当请求访问的用户未登录时,auth 变量为 null。
例如,如果您想要只向经过身份验证的用户授予读取权限,则可以在您的规则中使用此变量设置 - auth != null。但是,我们通常建议进一步限制写入权限。
如需详细了解 auth 变量,请参阅 Cloud Firestore、Realtime Database 和 Cloud Storage 的参考文档。
实际上,在规则中使用经过身份验证的信息会使您的规则更加强大和灵活。您可以根据用户身份来控制对数据的访问权限。
在您的规则中,定义 auth 变量中的信息(请求者的用户信息)如何与请求的数据相关联的用户信息相匹配。
例如,您的应用可能想要确保用户只能读取和写入自己的数据。在这种情况下,您希望 auth.uid 变量与请求的数据上的用户 ID 相匹配:
Cloud Firestore
service cloud.firestore {
match /databases/{database}/documents {
// Make sure the uid of the requesting user matches name of the user
// document. The wildcard expression {userId} makes the userId variable
// available in rules.
match /users/{userId} {
allow read, write: if request.auth != null && request.auth.uid == userId;
}
}
}
Realtime Database
{
"rules": {
"users": {
"$userId": {
// grants write access to the owner of this user account
// whose uid must exactly match the key ($userId)
".write": "$userId === auth.uid"
}
}
}
}
Cloud Storage
service firebase.storage {
// Only a user can upload their file, but anyone can view it
match /users/{userId}/{fileName} {
allow read;
allow write: if request.auth != null && request.auth.uid == userId;
}
}
您可以进一步利用 auth 变量来定义分配给您的应用用户的自定义字段。
例如,假设您要创建一个“管理员”角色,该角色拥有某些路径的写入权限。您可以将该属性分配给用户,然后在授予路径访问权限的规则中利用该属性。
在 Cloud Firestore 中,您可以向用户的文档添加自定义字段,并使用规则中的嵌入式读取功能来检索该字段的值。因此,基于管理员的规则将类似于以下示例:
Cloud Firestore
service cloud.firestore {
match /databases/{database}/documents/some_collection: {
// Remember that, in Cloud Firestore, reads embedded in your rules are billed operations
write: if request.auth != null && get(/databases/(database)/documents/users/$(request.auth.uid)).data.admin == true;
read: if request.auth != null;
}
}
在 Authentication 中创建自定义声明后,您便可以在 Rules 中访问这些自定义声明。然后,您可以使用 auth.token 变量引用这些自定义声明。
Cloud Firestore
service cloud.firestore {
match /databases/{database}/documents {
// For attribute-based access control, check for an admin claim
allow write: if request.auth.token.admin == true;
allow read: true;
// Alterntatively, for role-based access, assign specific roles to users
match /some_collection/{document} {
allow read: if request.auth.token.reader == "true";
allow write: if request.auth.token.writer == "true";
}
}
}
Realtime Database
{
"rules": {
"some_path/$sub_path": {
// Create a custom claim for the admin role
".write": "auth.uid !== null && auth.token.writer === true"
".read": "auth.uid !== null"
}
}
}
Cloud Storage
service firebase.storage {
// Create a custom claim for the admin role
match /files/{fileName} {
allow read: if request.auth.uid != null;
allow write: if request.auth.token.admin == true;
}
}
如需查看利用 Authentication 的基本 Rules 的更多示例,请参阅基本安全规则。
如未另行说明,那么本页面中的内容已根据知识共享署名 4.0 许可获得了许可,并且代码示例已根据 Apache 2.0 许可获得了许可。有关详情,请参阅 Google 开发者网站政策。Java 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2025-07-25。
[null,null,["最后更新时间 (UTC):2025-07-25。"],[],[],null,["\u003cbr /\u003e\n\nFirebase Security Rules provide access control and data validation in a format that supports\nmultiple levels of complexity. To build user-based and role-based access systems\nthat keep your users' data safe, use [Firebase Authentication](/docs/auth) with\nFirebase Security Rules.\n\nIdentify users\n\nAuthentication identifies users requesting access to your data and provides that\ninformation as a variable you can leverage in your rules. The `auth` variable\ncontains the following information:\n\n- **`uid`:** A unique user ID, assigned to the requesting user.\n- **`token`:** A map of values collected by Authentication.\n\nThe `auth.token` variable contains the following values:\n\nIf you want to add customized authentication attributes, the `auth.token`\nvariable also contains any [custom claims](/docs/auth/admin/custom-claims)\nyou specify.\n\nWhen the user requesting access isn't signed in, the `auth` variable is `null`.\nYou can leverage this in your rules if, for example, you want to limit read\naccess to authenticated users --- `auth != null`. However, we generally recommend\nlimiting write access further.\n\nFor more information about the `auth` variable, see the reference\ndocumentation for\n[Cloud Firestore](https://firebase.google.com/docs/reference/rules/rules.firestore.Request#auth),\n[Realtime Database](https://firebase.google.com/docs/reference/security/database/#variables), and\n[Cloud Storage](https://firebase.google.com/docs/reference/security/storage/#request).\n\nLeverage user information in rules\n\nIn practice, using authenticated information in your rules makes your rules\nmore powerful and flexible. You can control access to data based on user\nidentity.\n\nIn your rules, define how the information in the `auth` variable --- the\nrequestor's user information --- matches the user information associated with the\nrequested data.\n\nFor example, your app may want to make sure users can only read and write their\nown data. In this scenario, you would want a match between the\n`auth.uid` variable and the user ID on the requested data: \n\nCloud Firestore \n\n service cloud.firestore {\n match /databases/{database}/documents {\n // Make sure the uid of the requesting user matches name of the user\n // document. The wildcard expression {userId} makes the userId variable\n // available in rules.\n match /users/{userId} {\n allow read, write: if request.auth != null && request.auth.uid == userId;\n }\n }\n }\n\nRealtime Database \n\n {\n \"rules\": {\n \"users\": {\n \"$userId\": {\n // grants write access to the owner of this user account\n // whose uid must exactly match the key ($userId)\n \".write\": \"$userId === auth.uid\"\n }\n }\n }\n }\n\nCloud Storage \n\n service firebase.storage {\n // Only a user can upload their file, but anyone can view it\n match /users/{userId}/{fileName} {\n allow read;\n allow write: if request.auth != null && request.auth.uid == userId;\n }\n }\n\nDefine custom user information\n\nYou can further leverage the `auth` variable to define custom fields assigned\nto your app's users.\n\nFor example, assume you want to create an \"admin\" role that enables write access\non certain paths. You would assign that attribute to users, and\nthen leverage it in the rules granting access on the paths.\n\nIn Cloud Firestore, you can add a custom field to users' documents and retrieve\nthat field's value with an embedded read in your rules. So, your admin-based\nrule would look like the following example: \n\nCloud Firestore \n\n service cloud.firestore {\n match /databases/{database}/documents/some_collection: {\n // Remember that, in Cloud Firestore, reads embedded in your rules are billed operations\n write: if request.auth != null && get(/databases/(database)/documents/users/$(request.auth.uid)).data.admin == true;\n read: if request.auth != null;\n }\n }\n\nYou can access custom claims in Rules after [creating custom claims](/docs/auth/admin/custom-claims) in Authentication. You can then\nreference those custom claims using the `auth.token` variable. \n\nCloud Firestore \n\n service cloud.firestore {\n match /databases/{database}/documents {\n // For attribute-based access control, check for an admin claim\n allow write: if request.auth.token.admin == true;\n allow read: true;\n\n // Alterntatively, for role-based access, assign specific roles to users\n match /some_collection/{document} {\n allow read: if request.auth.token.reader == \"true\";\n allow write: if request.auth.token.writer == \"true\";\n }\n }\n }\n\nRealtime Database \n\n {\n \"rules\": {\n \"some_path/$sub_path\": {\n // Create a custom claim for the admin role\n \".write\": \"auth.uid !== null && auth.token.writer === true\"\n \".read\": \"auth.uid !== null\"\n }\n }\n }\n\nCloud Storage \n\n service firebase.storage {\n // Create a custom claim for the admin role\n match /files/{fileName} {\n allow read: if request.auth.uid != null;\n allow write: if request.auth.token.admin == true;\n }\n }\n\nTo see more examples of basic Rules leveraging Authentication, see\n[Basic Security Rules](/docs/rules/basics)."]]
