组的Firebase存储安全规则 [英] Firebase Storage Security Rules for Groups
问题描述
我知道对此有几个问题(例如 https://stackoverflow.com/a/52808572/3481904 ),但对于我的案件,我仍然没有好的解决方案.
I know there are several questions regarding this (e.g. https://stackoverflow.com/a/52808572/3481904), but I still don't have a good solution for my case.
我的应用程序具有组,它们是动态创建/删除的,并且成员(用户)可以随时添加/删除.
My application has Groups, which are created/removed dynamically, and members (users) can be added/removed at anytime.
每个组具有0..N个私有文件(Firebase存储),保存在不同的路径中(均具有前缀groups/{groupId}/...
).
Each Group has 0..N private files (Firebase Storage), saved in different paths (all having the prefix groups/{groupId}/...
).
在Firestore安全规则中,我使用get()
& exists()
了解登录用户是否是组的一部分.但是我无法在Firebase存储安全规则中做到这一点.
In Firestore Security Rules, I use get()
& exists()
to know if the signed-in-user is part of a group. But I cannot do this in the Firebase Storage Security Rules.
建议的2个解决方案是:
- 用户声明:
,但是令牌需要刷新(退出/登录或更新过期的令牌),这在我的用例中是不可接受的,因为用户一旦被邀请就需要立即访问.此外,用户可以是许多组的一部分,这些组可能会超过1000个字节.
but the token needs to be refreshed (signing out/in, or renewing expired token) which is not acceptable for my use case, because users need to have access immediately once invited. Also, a user can be part of many groups, which can potentially grow over 1000 bytes.
- 文件元数据:
但是组可以在不同路径中包含N个文件,因此我将需要循环列出组中的所有文件,并在每个文件的元数据中设置组成员的userIds,以允许对其进行访问.当添加/删除成员时,这将是由Firestore(Firebase功能)触发的操作.
but Groups can have N files in different paths, so I will need to loop-list all files of a group, and set the userIds of the group-members in the metadata of each file, allowing access to it. This would be an action triggered by Firestore (a Firebase Function), when a member is added/removed.
我不喜欢这种方法,因为:
I don't like this approach because:
- 需要循环列出N个文件并为每个文件设置元数据(性能不佳)
- 要添加新文件,我想我需要将
create
设置为public(因为尚无要检查的元数据),然后需要触发一个Function以将userIds添加到元数据中 - 授予文件访问权限可能会延迟几秒钟,如果用户在这段时间之前打开论坛页面,体验很糟糕,则可能会导致问题
- needs to loop-list N files and set metadata for each one (not very performant)
- To add new files, I think I would need to set
create
to public (as there is no metadata to check against yet), and then a Function would need to be triggered to add the userIds to the metadata - there might be some seconds of delay to give files access, which could cause problems in my case if the user opens the group page before that time, having a bad experience
所以,我的问题是:
- 有没有更好的方法?
- 如果在身份验证时仅允许客户端
get
和create
所有文件(不允许delete
和list
),这是否足以保证安全?我认为,恶意黑客可能会向匿名用户上传任何东西,或者如果他们知道路径,则可能会读取所有私有组文件...
- Is there a better way?
- If I only allow the client to
get
andcreate
all files when authenticated (disallowingdelete
andlist
), would this be enough for security? I think that there might be a chance that malicious hackers can upload anything with an anonymous user, or potentially read all private group files if they know the path...
谢谢!
推荐答案
如果自定义声明对您不起作用,则实际上没有实现这一目标的好方法".您唯一的实际选择是:
If custom claims don't work for you, there is really no "good" way to implement this. Your only real options are:
- 以某种方式使用Cloud Functions将Firestore中的相关数据镜像到Storage中,并将Firestore文档数据放入Storage对象元数据中,以通过规则进行检查.
- 通过您控制的后端(也可以是Cloud Functions)将对存储的所有访问路由到执行所有相关安全检查的后端.如果您使用Cloud Functions,则此方法不适用于内容大于10MB的文件,因为这是对使用Cloud Functions进行请求和响应的大小的限制.
请提交具有Firebase支持的功能请求,以允许在存储规则中使用Firestore文档-这是常见的请求. https://support.google.com/firebase/contact/support
Please file a feature request with Firebase support to be allow use of Firestore documents in Storage rules - it's a common request. https://support.google.com/firebase/contact/support
这篇关于组的Firebase存储安全规则的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!