问题描述
我知道这个问题被问过太多次了.但我有一些建议,需要知道它是否有意义.
我已经在使用 Firebase 数据库.我只需要一个服务器就可以对 Firebase 消息进行 POST 调用.但是如果应用程序发出相同的 POST 调用怎么办?现在我明白了这个模型存在安全风险.可以反编译应用程序并提取服务器密钥.但由于我已经在使用 Firebase 数据库,如果我将密钥保留在我的数据库中并在需要时请求它.
I know this question has been asked too many times. But I have something to propose and need to know if it makes sense.
I am already using Firebase database.
All I need a server is to make a POST call to Firebase messaging. But what if the app makes the same POST call?
Now I understand that there is a security risk aligned with this model. Apps can be decompiled and the server key can be extracted. But as I am already using Firebase database, what if I keep the key in my database and request when I need it.
如果这听起来不错,或者除了增加对我的数据库的调用之外,它是否还有其他缺点.
Please let me know if this sounds good or does it have any drawbacks other than one increased call to my database.
推荐答案
保持 FCM 服务器密钥安全的唯一方法是不要将其暴露给不受信任的客户端的设备.
The only way to keep your FCM server key secure, is to not expose it to devices of untrusted clients.
如果您将 FCM 服务器密钥存储在数据库中,则需要将其存储在您希望允许发送 FCM 消息的应用用户可以访问的位置.
If you store the FCM server key in the database, you'll need to store it in a place that is somehow accessible to the users of your app who you want to allow to send FCM messages.
如果这些用户可以访问 FCM 服务器密钥,他们可以获取该密钥并滥用它.如果您只允许一小部分用户访问此值,那么您将降低该较小用户组的风险.如果这些是不受信任的客户,那么您仍然会将密钥暴露给不受信任的客户.
If the FCM server key is accessible to those users, they can take the key and abuse it. If you only allow access to this value to a tiny subset of your users, you'll have reduced the risk to that smaller group of users. And if those are untrusted clients, then your still exposing the key to untrusted clients.
所以你添加了一个间接层,但我认为它不会更安全.
So you're adding a layer of indirection, but I would not consider it a lot more secure.
这篇关于没有服务器 XMPP 服务器的 Firebase 消息传递 - 提案的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!