无法获取 Firebase 存储安全规则以拒绝访问文件 [英] Cant get Firebase Storage security rules to refuse access to a file
问题描述
我确定我遗漏了一些关于 Firebase 存储规则的内容,但我已经完成了以下操作:
I'm sure I'm missing something wrt Firebase Storage rules, but I've done the following:
第 1 步
首先我设置了以下 Firebase 存储规则:
Firstly I set the following Firebase Storage rule:
service firebase.storage {
match /b/{bucket}/o {
match /items/{dev_key}/{perm_id}/{file_name} {
allow write: if request.auth.uid == dev_id;
allow read: if request.auth.token.permId == perm_id;
}
}
}
我希望只有使用与相关位置匹配的自定义声明 permId 登录的用户才能下载文件,allow read: if request.auth.token.permId == perm_id;.
I expected only signed in users with a custom claim permId matching the relevant location to be able to download the file, allow read: if request.auth.token.permId == perm_id;.
然后,我在 Cloud Functions 中设置了 自定义声明对用户如下:
So, I then set a custom claim in Cloud Functions on a user as follows:
第 2 步
admin.auth().setCustomUserClaims(uid, {permId: '1'}).then(() => {
// send off some triggers to let user know the download is coming
admin.database().ref(`collection/${uid}/${itemId}`).update({
downloadReady: true
});
});
然后我将用户注销并重新登录......这设置了自定义声明.我检查了它们在 Cloud Functions 中的设置如下:
Then I signed the user out and signed back in again... which set the custom claims. I checked that they were set in Cloud Functions as follows:
第 3 步
admin.auth().verifyIdToken(idToken).then((claims) => {
console.log("--------------claims -------------");
console.log(JSON.stringify(claims));
});
我在声明字符串中看到... permID: "1"
And I saw in the claims string... permID: "1"
然后我在客户端请求了一个 downloadURL(希望这里是我出错的地方)...我希望这不是公共下载 url,而是 Firebase 存储安全规则将检查的下载 url:
On the client side I then requested a downloadURL (here is hopefully where I'm going wrong)... I expected this to not be the public download url but rather the download url that the Firebase Storage security rules will check:
第 4 步
var pathReference = storage.ref('items/<some-key>/1/Item-1');
pathReference.getDownloadURL()
.then((url)=>{
console.log("url: ", url);
})
我从这个电话收到的网址给了我这个链接https://firebasestorage.googleapis.com/v0/b/emiru84-games.appspot.com/o/games%2FcfaoVuEdJqOWDi9oeaLLphXl0E82%2F1%2FGame-1?alt=media&令牌=45653143-924a-4a7e-b51d-00774d8986a0(我用来测试的小图)
The url I received from this call gave me this link https://firebasestorage.googleapis.com/v0/b/emiru84-games.appspot.com/o/games%2FcfaoVuEdJqOWDi9oeaLLphXl0E82%2F1%2FGame-1?alt=media&token=45653143-924a-4a7e-b51d-00774d8986a0 (a tiny little image I use for testing)
到目前为止一切顺利,拥有正确声明的用户能够查看此图像
So far so good, the user with the correct claim was able to view this image
然后我重复了第 2 步,再次注销/登录,但这次的 permId 为0".我希望之前生成的 url 不再起作用,因为我的用户不再有正确的自定义声明......并且存储桶位置仍在同一位置(bucket/dev_key/1/filename),但它仍然有效.
I then repeated step 2, logout/login again, except this time with a permId of "0". I expected the url generated previously to no longer work since my user no longer had the correct custom claim... and the bucket location was still at the same location (bucket/dev_key/1/filename) but it still worked.
如果我重复第 4 步,我会得到一个新的 url,然后会给出相应的 403 错误响应.然而,旧的 url 仍然有效(我想只要添加了 token 参数).这是预期的吗?如果是这样,我不确定如果下载 url 仍然是公开的,我是否理解存储安全规则会产生什么影响?
If I repeated step 4 I got a new url, which then gave the appropriate 403 error response. However the old url still worked (I guess as long as the token parameter is tacked on). Is this expected, if so, I'm not sure I understand how the Storage security rules make a difference if the download url is public anyway?
任何帮助清除我迷糊的大脑将不胜感激.
Any help clearing my foggy brain would be appreciated.
推荐答案
Cloud Storage for Firebase 中的下载 URL 始终是公开可读的.它不受安全规则的影响.
The download URL in Cloud Storage for Firebase is always publicly readable. It is not affected by security rules.
如果您不想允许公开访问某个文件,您可以撤消其下载 URL.
If you don't want to allow public access to a file, you can revoke its download URL.
这篇关于无法获取 Firebase 存储安全规则以拒绝访问文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
