[英]setting firebase storage rule to watch for a piece of state in React Firebase
Is it possible to set a firebase storage rule to watch the value of a piece of state?是否可以设置一个firebase的存储规则来观察一块state的值?
I am not using firebase auth for my app I just want to use a bucket for file storage.我没有为我的应用程序使用 firebase 身份验证,我只想使用存储桶来存储文件。 I have a state variable within my app:
我的应用程序中有一个 state 变量:
const [state, setState] = useState({
currentUser: null,
isAuthed: false
});
If the user is authenticated the isAuthed
value will flip to true.如果用户通过身份验证,
isAuthed
值将变为 true。 Therefore would it be possible to write a rule set that looks as so:因此,是否可以编写如下所示的规则集:
rules_version = '2';
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read, write: if state.isAuthed === true;
}
}
}
Your post raises two questions:你的帖子提出了两个问题:
How to pass data to storage rules?如何将数据传递给存储规则?
How to check for authentication status without using firebase authentication?如何在不使用 firebase 身份验证的情况下检查身份验证状态?
You could save your file to the path /userfiles/authenticated/...
to signal that the file was uploaded by an authenticated user.您可以将文件保存到路径
/userfiles/authenticated/...
以表明该文件是由经过身份验证的用户上传的。 In the storage rule, you have access to the path through the match clause:在存储规则中,您可以通过 匹配子句访问路径:
match /userfiles/authenticated/{allPaths=**} {
allow read, write: if true;
}
When uploading a file you can set custom metadata this way :上传文件时,您可以通过这种方式设置自定义元数据:
const metadata = { customMetadata: { isAuthed: true } };
const uploadTask = uploadBytes(storageRef, file, metadata);
Then you can read the metadata in the storage rules:然后你可以读取存储规则中的元数据:
match /{allPaths=**} {
allow read, write: if request.resource.metadata.isAuth == true;
}
Custom claims or custom tokens allow assigning data to a user in a secure way, this data is then passed to the storage rule.自定义声明或自定义令牌允许以安全的方式将数据分配给用户,然后将此数据传递给存储规则。 Custom claims necessitate using firebase authentication, but custom tokens allow you to assign a token from your server without using firebase authentication.
自定义声明需要使用 firebase 身份验证,但自定义令牌允许您从服务器分配令牌,而无需使用 firebase 身份验证。 To read the data:
读取数据:
match /{allPaths=**} {
allow read, write: if request.auth.token.isAuth == true;
}
The easiest way to ensure only authenticated users can upload is through custom claims or custom token, as detailed above.确保只有经过身份验证的用户才能上传的最简单方法是通过自定义声明或自定义令牌,如上所述。
⚠️ For fun only, use at your own risks ⚠️ 仅供娱乐,使用风险自负
Let's roll our own crypto protocol to have a secure way of allowing upload only to authenticated users.让我们推出我们自己的加密协议,以一种安全的方式只允许上传给经过身份验证的用户。 NB: this does not prevent read access because we cannot provide metadata.
注意:这不会阻止读取访问,因为我们无法提供元数据。
1- An user requests an upload token from your server: 1- 用户从您的服务器请求上传令牌:
const crypto = require("crypto");
const SECRET = "S3CRET"; // a secret shared by your server and security rules
// If the user is authenticated, send them this upload token:
const nonce = crypto.randomBytes(9).toString('base64');
const data = `${nonce},${filepath},${SECRET}`
const token = { nonce, hash: crypto.createHash('sha256').update(data).digest('base64') };
2- You pass the upload token to the storage rule via the file path or custom metadata as described above 2- 如上所述,您通过文件路径或自定义元数据将上传令牌传递给存储规则
3- In the storage rule, you validate the hash : 3- 在存储规则中,您验证 hash :
match /{allPaths=**} {
allow read: if true;
allow write: if verifyHash(request, allPaths);
}
function verifyHash(request, path){
let nonce = request.resource.metadata.nonce;
let hash = request.resource.metadata.hash;
let hash2 = hashing.sha256(nonce + "," + path + ",S3CRET")).toBase64();
return hash == hash2;
}
4- profit: only users who have an upload token can upload a file, as a bonus you also enforce the file path, and you could also enhance the token with a timestamp, and enforce some kind of rate limit. 4- 利润:只有拥有上传令牌的用户才能上传文件,作为奖励,您还可以强制执行文件路径,还可以使用时间戳增强令牌,并强制执行某种速率限制。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.