배경

문제

 var ref = new Firebase("https://{app_name}.firebaseio.com");

설명

siteA

코드

<!DOCTYPE HTML>
<html lang="en-US">
<head>
  <title>firebase test</title>
  <script src="https://cdn.firebase.com/js/client/2.4.1/firebase.js"></script>
  <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"/>
  <script src="https://code.jquery.com/jquery-1.12.0.min.js"></script>
</head>
<body>
<button id="login"  class="btn btn-primary">Firebase Twitter</button>
  <p id="result"></p>
  <script>
  var ref = new Firebase("https://{app_name}.firebaseio.com");

  $("#login").click(function () {
      ref.authWithOAuthPopup("twitter", function (error, authData) {
      if (error) {
        $("#result").text("Login Failed!");
      } else {
        $("#result").text("Authenticated successfully with payload");
        ref.set({age: 30});
        $("#result").text("ageを30に設定しました");
      }
    });
  })
</script>
</body>
</html>

실행 및 결과

나쁜 사람

코드

<!DOCTYPE HTML>
<html lang="en-US">
<head>
  <title>firebase test</title>
  <script src="https://cdn.firebase.com/js/client/2.4.1/firebase.js"></script>
  <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"/>
  <script src="https://code.jquery.com/jquery-1.12.0.min.js"></script>
</head>
<body>
<button id="login"  class="btn btn-primary">ageを変更</button>
  <p id="result"></p>
  <script>
  var ref = new Firebase("https://{app_name}.firebaseio.com");
        ref.set({age: 20});
        $("#result").text("ageを20に設定しました");
</script>
</body>
</html>

실행 및 결과

대책 - Firebase의 보안 및 규칙 활용

Firebase 보안 및 규칙 설정

설명

siteA 코드

......
ref.authWithOAuthPopup("twitter", function (error, authData) {
      if (error) {
        $("#result").text("Login Failed!");
      } else {
        $("#result").text("Authenticated successfully with payload");
        //ref.set({age: 30});
        ref.child('users').child(authData.uid).set({age:30});
        $("#result").text("ageを30に設定しました");
      }
......

결과

감상