强制进行Firebase存储可下载URL的身份验证 [英] Enforce authentication for firebase-storage downloadable urls

问题描述

Firebase文档建议获取可下载的网址(例如用于流式传输) html <video>标签中的视频)是在任何存储引用上由getDownloadURL()完成的.因此，您可以设置将通过SDK应用于客户端请求的安全规则.

但是，似乎接收到的可下载URL可公开用于任何客户端/设备，而无需身份验证.

对于这种用例，是否有任何方法可以强制执行安全性授权?我注意到您可以在控制台中手动撤消公共URL，但这不是可扩展的解决方案，也不安全.

解决方案

有两种方法可以从Firebase Storage下载文件:

• gs://bucket/object
• https://firebasestorage.googleapis.com/v0/b/bucket/o/object?token=<UUID>

前者是内部参考，可用于通过我们的SDK上载和下载文件.这些受Firebase身份验证和Firebase存储安全性规则的保护.它旨在供应用程序的用户在应用程序中使用.

后者是一个外部参考，只能用于下载已共享的文件，通常是在应用程序外部.由于与之共享用户的身份不在您的应用程序之外，因此他们无法进行身份验证，因此授权就没有那么有趣了.

我们提供的授权是他们是否拥有一个长期无法猜测的令牌"，这意味着被授权与他们共享文件的某人向他们授予了许可.由于通常使用密码签名来传达某些声明(例如，URL有效的时间长短，对其进行的有效操作等)，因此，这通常被称为公共的，不可猜测的URL"或签名的URL". /p>

我们认为，仅允许内部"应用程序用户使用外部"表示形式是没有意义的，尽管如果您不同意我会听取您的用例的话.

Firebase docs suggest that obtaining a downloadable url (e.g. for streaming video in html <video> tag) is done by getDownloadURL(), on any storage reference. Thus, you can set security rules which will be applied for client requests via the SDK.

However, it seems that the downloadable URL received is publicly available to any client/device, with no authentication required.

Is there any way to enforce security authorization for such use case? I notice you can revoke the public URL manually in the console, but it's not a scalable solution, nor secure.

解决方案

There are two ways to download a file from Firebase Storage:

• gs://bucket/object
• https://firebasestorage.googleapis.com/v0/b/bucket/o/object?token=<UUID>

The former is an internal reference, and can be used to upload and download files via our SDKs. These are protected by Firebase Authentication and Firebase Storage Security rules. It is designed to be used by users of your application, while in the application.

The latter is an external reference, and can be used only to download files that have been shared, usually external to the application. Since the user who this has been shared with is outside of your application, there's no way they could authenticate, so authorization is less interesting.

The authorization we provide is "do they have a long unguessable token" that means someone authorized to share the file with them gave them permission to. This is commonly known as a "public, unguessable URL" or a "signed URL" due to the cryptographic signing that's often used to convey certain claims (like how long the URL is valid, what operations it's valid for, etc.).

We believe that there's little sense in making an "external" representation that can only be used by "internal" app users, though I'd be open to hearing your use cases if you disagree.

这篇关于强制进行Firebase存储可下载URL的身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！