读取 Firebase 存储图像安全规则 [英] Reading firebase storage image security rules
问题描述
我正在使用 Firebase storage 和 firestore with flutter,我遇到了两种检索 Firebase 存储映像的选项
I am using Firebase storage and firestore with flutter, I came across two options to retrieve Firebase storage image
在 firestore 数据库中设置 Firebase 存储图像 url,然后使用网络图像获取它
Setting Firebase storage image url in firestore database and then fetching it with network image
直接从 Firebase 存储中获取图片网址
Getting image url from Firebase storage directly
我对代币了解不多.我的安全规则规定只有 auth 用户才能读取我的 Firebase 存储,但如果我使用第一个选项,我的带有令牌的图像 url 将使用该 url 存储在我的 firestore 数据库中,任何人都可以访问我的存储.我不确定 Firebase 是否会自动刷新它的存储令牌,如果是这种情况,我的应用程序会崩溃.哪种方式最安全,最持久,或者请回答是否有其他安全的获取图像的方式
I don't know much about tokens. My security rules states that only auth users can read my Firebase storage but if I use first option my image url with token is stored in my firestore database using that url anyone can access my storage. I am not sure does Firebase refresh it's storage token automatically then if this is the case my app will experience crash. Which is the most secure and long lasting way or please answer if any other secure way to fetch images
推荐答案
Firebase 存储令牌不会过期,除非您撤销它们.如果您覆盖图像,即更新它,令牌可能会更新.现在,如果您想发出单独的请求只是为了在上传图像时获取下载 URL 或将 URL 存储在实时数据库中并与其他数据一起获取,那么这完全是您的要求.
Firebase storage tokens won't expire unless you revoke them. The token may update if you overwrite the image i.e. update it. Now that's totally your call if you would like to make a separate request just to get the download URL or store the URL in realtime database when an image is uploaded and fetch it along with other data.
Firebase Storage 的安全规则将阻止未经身份验证的用户仅获取下载 URL.如果经过身份验证的用户与任何人共享 URL,他们将能够看到图像,因为他们现在拥有带有该随机令牌的 URL.
Security rules of Firebase Storage will prevent non-authenticated users from getting the download URL only. If an authenticated user shares the URL with anyone, they will be able to see the image as they have the URL with that random token now.
如果您从实时数据库中获取的数据要求用户首先登录,那么我会将 URL 存储在数据库本身中,因为我认为发出另一个请求并没有意义Firebase 存储的规则相同.我不知道您的确切用例,因此这样做可能会有例外.
If the data you are fetching from realtime database requires the user to be logged in at first place, then I'd just store the URL in the database itself as I don't think it makes sense to make another request and have the same rules for Firebase storage. I don't know your exact use case so there may be exceptions for doing this.
如果您并不总是需要该图像 URL,那么这可能会浪费带宽,那么您应该考虑单独请求以获取存储 URL.
If you don't need that image URL always then that might be waste of bandwidth, then you should consider making separate request to get the storage URLs.
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read, write: if request.auth != null;
}
}
}
这些规则将允许任何经过身份验证的用户请求 URL.但正如我之前提到的,任何拥有此链接的人都可以访问该文件.
These rules will allow any authenticated user to request the URL. But as I mentioned earlier, anyone with this link can access the file.
这篇关于读取 Firebase 存储图像安全规则的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
