更新时间:2023-12-05 21:40:46
不要创建接受uid
并返回自定义令牌的HTTP端点.这是一个巨大的安全漏洞,因为任何攻击者都可以假冒任何知道其uid
的用户.
您需要执行以下操作:
Don't create an HTTP endpoint that accepts a uid
and returns a custom token. This is a huge security vulnerability as any attacker would be able to impersonate any user knowing their uid
.
What you need to do is the following:
signInWithCustomToken
使用该自定义令牌完成登录.signInWithCustomToken
to complete sign in with that custom token.在这种情况下,您将公开一个HTTP终结点,该终结点采用授权代码并返回Firebase自定义令牌.
In this case you are exposing an HTTP endpoint that takes an authorization code and returns a Firebase custom token.
这是基本思想(不包括细节).当然,您仍然必须通过传递某种状态来确保流在同一设备上开始和结束,然后检查是否最终将其取回.您还必须确保使用诸如应用程序链接等之类的东西将身份验证代码返回到正确的应用程序.Firebase动态链接在那里可能会有所帮助.
This is the basic idea (details excluded). Of course you still have to ensure the flow starts and ends on the same device by passing some state and then check that you get it back in the end. You also have to ensure the auth code is returned to the correct app using something like app links, etc. Firebase Dynamic Links can be helpful there.