如何限制从Firebase存储下载的次数? [英] How to limit number of downloads from Firebase Storage?

问题描述

据我所知，Firebase存储中没有安全规则可以限制每个用户的下载数量.

As far as I can see there are no security rules in the Firebase Storage that could limit the number of downloads per user.

我可以通过一个简单的技巧来限制用于写操作的文件大小或文件数量:

I can limit the file size or number of files for writes with a simple trick like this:

  match /public/{userId}/{imageId} {
  allow write: if request.resource.size < 5 * 1024 * 1024 && 
  imageId.matches("[1-5]\.txt");
}

并根据 Google配额&限制:

每个对象的更新限制为每秒一次，因此对单个对象的快速写入不会扩展.

There is an update limit on each object of once per second, so rapid writes to a single object won’t scale.

这很好，但是一旦恶意用户知道下载链接，如何防止过多的读取?这又对安全特别重要，再次根据

So this is great but how to prevent too many reads once a download link is known to a malicious user? This is especially important for security as again according to Google Quotas & Limits:

读取对象没有限制.存储桶最初支持每秒大约5000次读取，然后根据需要进行扩展.

There is no limit to reads of an object. Buckets initially support roughly 5000 reads per second and then scale as needed.

推荐答案

没有配置用于限制Cloud Storage中存储的文件的下载量.如果用户完全有权读取任何数据，则他们可以根据需要读取任意数量的数据.没有与所消耗的每用户数据量或文件访问次数有关的计费方式.没有任何安全规则可让您以这种方式限制访问.没有Cloud Functions触发器可以让您自己进行核算.

There is no configuration for limiting the volume of downloads for files stored in Cloud Storage. If a user has access to read any data at all, they can read it as much as they want. There is no accounting related to the amount of per-user data consumed, or number of times a file is accessed. There are no security rule that let you restrict access in this way. There are no Cloud Functions triggers that let you do the accounting yourself.

有关上传限制的文档与您要执行的操作无关.可伸缩性的限制仅与基础系统的性能有关，而与最终用户的权限无关.

The documentation for limits on uploads is not related to what you're trying to do. The limits on scalability have only to do with the performance of the underlying system, not the permissions of the end users.

如果要限制最终用户可以执行的操作，则需要通过构建的一些中间件组件将其路由，该组件可以跟踪他们如何使用提供的API下载文件，并根据他们的使用来限制他们可以做什么先前的行为.显然，实现起来并不容易，但是有可能.

If you want to limit what end users can do, you will need to route them through some middleware component that you build that tracks how they're using your provided API to download files, and restrict what they can do based on their prior behavior. This is obviously nontrivial to implement, but it's possible.

这篇关于如何限制从Firebase存储下载的次数?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！