简体繁体 English

云存储 - 禁用公共访问保护，但失败

[英]Cloud Storage - Disabled Public Access Prevention, but Failed

原文 2022-09-16 07:30:10 3 2 flutter/ google-cloud-storage/ cloud/ firebase-storage

Okay, I was using Flutter and Firebase to upload data into Cloud Storage.好的，我正在使用 Flutter 和 Firebase 将数据上传到 Cloud Storage。 I gained the downloadURL which can be accessible on web if people know the URL.如果人们知道 URL，我获得了可以在 web 上访问的下载 URL。 I had enabled Public Access Prevention in Google Cloud Storage Console based on this doc and chose Access Control Uniform for this on doc .我基于此文档在 Google Cloud Storage Console 中启用了公共访问预防，并在doc上为此选择了访问控制统一。

I also had added Security Rule in Firebase Cloud Storage, so only Users with certain custom token can use it.我还在 Firebase 云存储中添加了安全规则，因此只有具有特定自定义令牌的用户才能使用它。 But, it seems useless as everyone can get its downloaded URL.但是，它似乎没用，因为每个人都可以下载它的 URL。 My question is why is that I still able to access the file if I am using the same URL which was I stored in Firestore?我的问题是，如果我使用存储在 Firestore 中的相同 URL，为什么我仍然能够访问该文件？ You can test it on this url .您可以在此url上对其进行测试。

Can hacker get the download URL I downloaded from Firestore?黑客可以得到我从 Firestore 下载的 URL 下载吗？ Is there a secure way to download song from Firebase Cloud Storage so hacker won't get its URL?有没有一种安全的方法可以从 Firebase 云存储下载歌曲，这样黑客就不会得到它的 URL？

Thank you for helping me out.谢谢你帮助我。

Updated v2: I just found out that current audio file has its own AuthenticatedUrl as shown on this picture below.更新 v2：我刚刚发现当前音频文件有自己的 AuthenticatedUrl，如下图所示。 How can I get access to this url?如何访问此 url？

Updated v1:更新 v1：

I think I haven't activated Firebase App Check.我想我还没有激活 Firebase App Check。 Does this feature have ability to prevent it from being accessed publicly or maybe there is other things that I have to do to be able to prevent it being accessed publicly, beside all ways I described above???除了我上面描述的所有方式之外，此功能是否有能力阻止它被公开访问，或者我必须做其他事情才能阻止它被公开访问？？？

2 个解决方案

Security rules only check if a user can get the download URL and do not restrict anyone from using it.安全规则仅检查用户是否可以获得下载 URL 并且不限制任何人使用它。 You can use the getData() method instead.您可以改用getData()方法。 It doesn't return any URL and downloads the files directly and is controlled by security rules .它不返回任何 URL 并直接下载文件并受安全规则控制。 So a user must be authenticated to fetch them.因此，必须对用户进行身份验证才能获取它们。

As mentioned in the Answer :如答案中所述：

If you're using the FlutterFire Storage library in your app, you can call getData on a reference to the file to get its data.如果您在应用程序中使用 FlutterFire 存储库，则可以对文件的引用调用getData以获取其数据。 So with that you just need to know the path to the data, and you won't need the download URL in your application.因此，您只需要知道数据的路径，就不需要在您的应用程序中下载 URL。 Once you have the data locally, you can create an image out of it with: Converting a byte array to image in Flutter?在本地获得数据后，您可以使用以下方法创建图像：将字节数组转换为 Flutter 中的图像？

Unlike download URLs, the call to getData() is checked by security rules, so you'll have to ensure that the user is permitted to access the file.与下载 URL 不同，对 getData() 的调用由安全规则检查，因此您必须确保允许用户访问文件。

You can also refer to this Answer :你也可以参考这个答案：

For web apps: in the JavaScript/Web SDK using a download URL is the only way to get at the data, while for the native mobile SDKs we also have getData() and getFile() methods, which are enforced through security rules.对于 web 应用程序：在 JavaScript/Web 中 SDK 使用下载 URL 是获取数据的唯一方法，而对于本机移动文件规则，我们也强制执行（通过）和获取安全数据 SDK 方法。

Until that time, if signed URLs fit your needs better, you can use those.在此之前，如果签名 URL 更符合您的需求，您可以使用它们。 Both signed URLs and download URLs are just URLs that provide read-only access to the data.签名 URL 和下载 URL 都只是提供对数据的只读访问权限的 URL。 Signed URLs just expire, while download URLs don't.签名 URL 只会过期，而下载 URL 不会。

For more information, you can refer to this Github issue where a similar issue has been discussed .有关更多信息，您可以参考此Github 问题，其中讨论了类似问题。