在Firebase中存储客户端IP地址

尽管我听说现在有办法让客户端确定和报告他们的IP地址，但依赖客户端代码报告他们的IP地址也会使任何人运行自定义的客户端代码来报告错误的IP地址。
唯一安全的跟踪客户端IP地址的方法要么涉及您拥有服务器，要么Firebase拥有一个特殊功能，当客户端调用它时，它会导致Firebase的服务器获取客户端的IP地址并为您保存它。
我的建议是运行一个简单的服务器来接收POST请求。服务器只需要能够验证请求来自哪个用户，并能够准确地获取客户端的IP地址并将其保存在Firebase上。

在以下网址中：https://firebase.google.com/docs/auth/admin/manage-sessions 在“高级安全性：强制执行IP地址限制”一节中，
您将在此代码片段中找到对remoteIpAddress的引用（箭头指向的行）：

app.post('/getRestrictedData', (req, res) => {
  // Get the ID token passed.
  const idToken = req.body.idToken;
  // Verify the ID token, check if revoked and decode its payload.
  admin.auth().verifyIdToken(idToken, true).then((claims) => {
    // Get the user's previous IP addresses, previously saved.
    return getPreviousUserIpAddresses(claims.sub);
  }).then(previousIpAddresses => {
    // Get the request IP address.
    const requestIpAddress = req.connection.remoteAddress;    <=============================
    // Check if the request IP address origin is suspicious relative to previous
    // IP addresses. The current request timestamp and the auth_time of the ID
    // token can provide additional signals of abuse especially if the IP address
    // suddenly changed. If there was a sudden location change in a
    // short period of time, then it will give stronger signals of possible abuse.
    if (!isValidIpAddress(previousIpAddresses, requestIpAddress)) {
      // Invalid IP address, take action quickly and revoke all user's refresh tokens.
      revokeUserTokens(claims.uid).then(() => {
        res.status(401).send({error: 'Unauthorized access. Please login again!'});
      }, error => {
        res.status(401).send({error: 'Unauthorized access. Please login again!'});
      });
    } else {
      // Access is valid. Try to return data.
      getData(claims).then(data => {
        res.end(JSON.stringify(data);
      }, error => {
        res.status(500).send({ error: 'Server error!' })
      });
    }
  });
});