更新时间:2023-12-04 10:52:16
无密码电子邮件登录允许用户证明他们有权访问特定的邮箱.它本质上只做些什么.用户单击链接后,便会通过身份验证.除了启用/禁用整个登录提供程序之外,您无法控制谁可以登录/验证.
Passwordless email sign in allows the user to prove they have access to a certain mail box. It does inherently do nothing more than that. Once the user clicks the link, they are authenticated. Beyond enabling/disabling the entire sign-in provider, you cannot control who can sign-in/authenticate.
之后,由您的应用程序确定允许该用户执行的操作.这是一个单独的步骤,通常称为授权.
After that it is up to your application to determine what this user is allowed to do. This is a separate step, typically called authorization.
Firebase身份验证(顾名思义)仅进行身份验证.您将不得不在其他地方处理授权,具体取决于您向用户提供了哪些服务.
Firebase Authentication takes (as its name implies) care of authentication only. You will have to handle authorization elsewhere, depending on what services you provide the users access to.
什么使电子邮件在您的应用程序中注册"了? IE.管理员在哪里创建这些用户?例如,如果您将用户存储在集合allowed_users
中的 Cloud Firestore 中,带有这样的文档:
What makes an email "registered" in your app? I.e. where does the admin create those users? For example, if you store the users in the Cloud Firestore in a collection allowed_users
, with documents like this:
allowed_users: // collection
"arkade@domain,com": { ... } // document
"puf@domain,com": { ... } // document
现在,您可以限制只有允许的用户才能使用Firestore的服务器端安全规则访问其他数据.假设您有posts
的集合,则只能允许这些用户阅读具有以下内容的帖子:
Now you can limit that only allowed users can access other data with Firestore's server-side security rules. Say you have a collection of posts
, you can allow only these users to read posts with:
service cloud.firestore {
match /databases/{database}/documents {
match /posts/{post} {
// Make sure a 'allowed_users' document exists for the requesting user before
// allowing any reads from the 'posts' collection
allow read: if exists(/databases/$(database)/documents/allowed_users/$(request.auth.email))
}
}
语法有点长,但是您可以看到,只有当当前用户的电子邮件地址(request.auth.email
)作为文档存在于allowed_users
中时,才允许阅读帖子.
The syntax is a bit long, but your can see that is only allows the reading of a post if the current user's email address (request.auth.email
) exists as a document in allowed_users
.
在Firestore规则的规则版本2中,您对当前用户的电子邮件地址的访问有所不同.您可以通过request.auth.token.email
进行操作.下面的示例还显示了如果通过电子邮件识别该用户,则如何在当前用户的文档中get
布尔属性:
In rules version 2 of the Firestore rules, you access the current user's email address a little differently. You can do it via request.auth.token.email
. The example below also shows how you can get
a boolean property in the current user's document, if you identify that user by email:
allow write: if get(/databases/$(database)/documents/users/$(request.auth.token.email)).data.admin == true;