firebase-meetup-#11-2019-02-18

 firebase-meetup-#11-2019-02-18

55c65de66a523fad9f41b21e70dcfa29?s=128

Tomokazu Kozuma

February 18, 2019
Tweet

Transcript

  1. 2.

    A B O U T M Y S E L

    F ࣗݾ঺հ Tomokazu Kozuma @Tomokazu106 ౦ژ޻ۀେֶେֶӃଔۀޙɺαΠόʔΤʔδΣϯτͰεϚϗήʔϜͷαʔόɺΠϯ ϑϥશൠΛ୲౰ɻԾ૝௨՟ʹ͍ٕͭͯज़ϒϩάΛॻ͍ͯΔ͏ͪʹ຅಄͠ɺຊ৬ͱ ͯ͠஫ྗ͢ΔͨΊʹ(JODPʹೖࣾɻ(JODPͰ͸ϒϩοΫνΣʔϯͷϊʔυӡ༻ɺϋʔ υϑΥʔΫରԠɺόοΫΤϯυͳͲ޿ൣғΛ୲౰ɻ
  2. 9.

    S e c u r i t y P r

    o b l e m ԯ݅ͷػີ৘ใ͕ެ։͞Ε͍ͯΔ • 'JSFCBTF%BUBCBTFΛ࢖͍ͬͯΔ಺ͷ͕࿙Ӯ • ݪҼ͸SVMFTΛ͖ͪΜͱઃఆͰ͖͍ͯͳ͍ h t t p s : / / w w w . a p p t h o r i t y . c o m / c o m p a n y / p r e s s / p r e s s - r e l e a s e s / 6 2 - o f - e n t e r p r i s e s - e x p o s e d - t o - s e n s i t i v e - d a t a - l o s s - v i a - f i r e b a s e - v u l n e r a b i l i t y
  3. 11.

    'JSFTUPSFSVMFT • SFBEXSJUFݖݶ • σʔλͷόϦσʔγϣϯ T I T L E

    T E X T Firestore Cloud 3VMFT "1*ΩʔͰΞΫηε
  4. 12.

    • SFBE୯ҰEPDΛऔಘ͢ΔHFUͱෳ਺औಘ͢ΔMJTU • XSJUFDSFBUF VQEBUF EFMFUF SFBEXSJUFݖݶ R e a

    d R e s t r i c t i o n match /Users/{uid} { allow get: if someCondition(); allow create: if someCondition(); } function someCondition() { … }
  5. 13.

    • ϦΫΤετσʔλɿSFRVFTUSFTPVSDFEBUB • 'JSFTUPSFσʔλɿSFTPVSDFEBUB • ܕɿJOU TUSJOH CPPM UJNFTUBNQͳͲ •

    LFZɿIBT"MM IBT0OMZ IBT"OZ σʔλͷόϦσʔγϣϯ D a t a V a l i d a t i o n match /Users/{uid} { allow update: if request.resource.data.keys().hasAll(["name", "age"]) && request.resource.data.name is string && request.resource.data.name != "" && request.resource.data.age == resource.data.age }
  6. 14.

    5 S e t t i n g s e

    c u r e r u l e s ػີσʔλ͸ผ֊૚ผSVMFTʹ͢Δ ϫΠϧυΧʔυͰͷSVMFTઃఆʹؾΛ͚ͭΔ ৘ใ࿙Ӯ͠ͳ͍ͨΊͷSVMFTઃఆ
  7. 15.

    • ผ֊૚ʹͯ͠SVMFTઃఆΛݫ͘͢͠Δ ػີσʔλ͸ผ֊૚ D i v i d e S

    e c r e t D a t a match /Users/{uid} { // ೝূࡁϢʔβʹެ։ allow read: if isAuthUser(); // ࣗ෼ͷσʔλ͚ͩʹΞΫηεՄ match /Private/Info { allow read: if isMyData(uid); } } function isMyData(uid) { return request.auth.uid == uid; }
  8. 16.

    ϫΠϧυΧʔυͰͷSVMFTઃఆ • ϫΠϧυΧʔυͰෳ਺SVMF͕ద༻͞ΕͯڐՄ͞ΕΔ U s i n g w i

    l d c a r d match /Users/{uid} { // ৚݅1 match /{allChildren=**} { allow read: if isAuthUser(); } // ৚݅2 match /Private/Info { allow read: if isMyData(uid); } } function isMyData(uid) { return request.auth.uid == uid; }
  9. 26.

    L o a d r u l e s SVMFTͷϩʔυ

    import * as firebase from ‘@firebase/testing’ // rulesͷϩʔυ firebase.loadFirestoreRules({ projectId: 'test-project-00', rules: fs.readFileSync("firestore.rules", "utf8") }) • SVMFTͷϩʔυ͸೚ҙͷQSPKFDU*EͰͰ͖Δ • QSPKFDU*EผʹݸผͷσʔλۭؒΛ࣋ͯΔ • ςετຖʹQSPKFDU*EΛมߋ͢Ε͹·ͬ͞Βͳঢ়ଶ
  10. 27.

    • ෳ਺ͷೝূΞΧ΢ϯτΛಉ࣌ʹѻ͑Δ L o a d r u l e

    s ΞΧ΢ϯτ࡞੒ // ೝূࡁΞΧ΢ϯτ const firestore = firebase .initializeTestApp({ projectId: ‘test-project-00', auth: {uid: ‘test-account’} }) .firestore(); // AdminΞΧ΢ϯτ const adminFirestore = firebase .initializeAdminApp({ projectId: 'test-project-00', auth: ‘admin-account’ }) .firestore();