无法获取Firebase Storage安全规则以拒绝访问文件 [英] Cant get Firebase Storage security rules to refuse access to a file
问题描述
我确定我缺少Firebase存储规则,但是我已经完成了以下操作:
I'm sure I'm missing something wrt Firebase Storage rules, but I've done the following:
第1步
首先,我设置以下Firebase存储规则:
Firstly I set the following Firebase Storage rule:
service firebase.storage {
match /b/{bucket}/o {
match /items/{dev_key}/{perm_id}/{file_name} {
allow write: if request.auth.uid == dev_id;
allow read: if request.auth.token.permId == perm_id;
}
}
}
我希望只有具有与相关位置匹配的自定义声明permId的登录用户才能下载文件,允许读取:if request.auth.token.permId == perm_id; .
I expected only signed in users with a custom claim permId matching the relevant location to be able to download the file, allow read: if request.auth.token.permId == perm_id;.
因此,我然后在Cloud Functions中设置了自定义声明对用户的操作如下:
So, I then set a custom claim in Cloud Functions on a user as follows:
STEP 2
admin.auth().setCustomUserClaims(uid, {permId: '1'}).then(() => {
// send off some triggers to let user know the download is coming
admin.database().ref(`collection/${uid}/${itemId}`).update({
downloadReady: true
});
});
然后,我注销了用户,然后再次登录...,它设置了自定义声明.我检查了它们是否在Cloud Functions中进行了设置,如下所示:
Then I signed the user out and signed back in again... which set the custom claims. I checked that they were set in Cloud Functions as follows:
第3步
admin.auth().verifyIdToken(idToken).then((claims) => {
console.log("--------------claims -------------");
console.log(JSON.stringify(claims));
});
我在声明字符串中看到了... permID:"1"
And I saw in the claims string... permID: "1"
然后在客户端上,我请求了一个downloadURL(希望这是我要去的地方)...我希望这不是公共下载URL,而是Firebase存储安全规则将检查的下载URL:
On the client side I then requested a downloadURL (here is hopefully where I'm going wrong)... I expected this to not be the public download url but rather the download url that the Firebase Storage security rules will check:
第4步
var pathReference = storage.ref('items/<some-key>/1/Item-1');
pathReference.getDownloadURL()
.then((url)=>{
console.log("url: ", url);
})
The url I received from this call gave me this link https://firebasestorage.googleapis.com/v0/b/emiru84-games.appspot.com/o/games%2FcfaoVuEdJqOWDi9oeaLLphXl0E82%2F1%2FGame-1?alt=media&token=45653143-924a-4a7e-b51d-00774d8986a0 (a tiny little image I use for testing)
到目前为止,具有正确声明的用户可以查看此图片
So far so good, the user with the correct claim was able to view this image
然后我重复步骤2,再次注销/登录,但这次的permId为"0".我希望以前生成的URL不再起作用,因为我的用户不再具有正确的自定义声明...并且存储区位置仍位于相同位置(bucket/dev_key/1/filename),但仍然可以使用.
I then repeated step 2, logout/login again, except this time with a permId of "0". I expected the url generated previously to no longer work since my user no longer had the correct custom claim... and the bucket location was still at the same location (bucket/dev_key/1/filename) but it still worked.
如果我重复第4步,则会得到一个新的URL,然后给出适当的403错误响应.但是,旧的url仍然有效(我猜只要加上了token参数).是这样吗,如果可以,我不确定如果下载URL是公开的,那么我不确定存储安全规则如何产生作用吗?
If I repeated step 4 I got a new url, which then gave the appropriate 403 error response. However the old url still worked (I guess as long as the token parameter is tacked on). Is this expected, if so, I'm not sure I understand how the Storage security rules make a difference if the download url is public anyway?
任何帮助清理我雾蒙蒙的大脑的人都会感激不尽.
Any help clearing my foggy brain would be appreciated.
推荐答案
Cloud Storage for Firebase中的下载URL始终是公共可读的.它不受安全规则的影响.
The download URL in Cloud Storage for Firebase is always publicly readable. It is not affected by security rules.
如果您不想允许公众访问文件,则可以撤消其下载URL.
If you don't want to allow public access to a file, you can revoke its download URL.
这篇关于无法获取Firebase Storage安全规则以拒绝访问文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
