[英]Firebase revoking download URL doesn't work
I am using firebase, react and react-native to develop an MVP app where users can upload image files and other users can retrieve them for viewing, and I am using firebase storage and the getDownloadURL() function.我正在使用 firebase、react 和 react-native 开发一个 MVP 应用程序,用户可以在其中上传图像文件,其他用户可以检索它们进行查看,我正在使用 firebase 存储和 getDownloadURL() function。
I know that there are other ways of retrieving firebase storage files, but I want to use the downloadURL so that unauthenticated users may also view the images.我知道还有其他方法可以检索 firebase 存储文件,但我想使用 downloadURL,以便未经身份验证的用户也可以查看图像。
I know that downloadURL is public and access to files cannot be restricted even by firebase security rules.我知道 downloadURL 是公开的,即使 firebase 安全规则也不能限制对文件的访问。
N.netheless, there is the revoke function where I can supposedly revoke the access token, ie the downloadURL. N.netheless,有一个撤销 function,我可以在其中撤销访问令牌,即 downloadURL。 At the firebase console, I tried it out.在firebase控制台,我试了一下。 It turns out that every time I revoke it, firebase generates a new one as replacement.事实证明,每次我撤销它,firebase 都会生成一个新的作为替代。 More problematic is that I can still use the old (revoked) URL to access the image files.更有问题的是,我仍然可以使用旧的(已撤销的)URL 来访问图像文件。 I checked out at the browser developer tool.我查看了浏览器开发人员工具。 The URL used by the browser was indeed the revoked URL. I used a new browser to ensure that the problem is not related to the cache.浏览器使用的URL确实是被撤销的URL,我换了个新浏览器确保问题与缓存无关。 Even if I use a react-ative app, the same problem appears.即使我使用反应式应用程序,也会出现同样的问题。
The image cannot be accessed only if I completely delete it from the firebase storage.仅当我将其从 firebase 存储中完全删除后才能访问该图像。
What is the problem here?这里有什么问题? Have I missed something?我错过了什么吗?
I have looked up the firebase documentation and searched for similar issues on stackoverflow but cannot get an answer.我查阅了 firebase 文档并在 stackoverflow 上搜索了类似的问题,但无法得到答案。 Other people don't seem to have this problem.其他人似乎没有这个问题。
The reason why you can still access the revoked urls is because in your firebase storage rules you have accepted reads for all users, whether authenticated or unauthenticated.您仍然可以访问已撤销网址的原因是因为在您的 firebase 存储规则中,您已接受所有用户的读取,无论是经过身份验证还是未经过身份验证。 To prevent access to revoked urls, use the following in your firebase storage rules.要防止访问已撤销的网址,请在 firebase 存储规则中使用以下内容。
NB// This will require all users to be authenticated inorder to get the download url注意// 这将要求所有用户都经过身份验证才能下载 url
rules_version = '2';
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read, write: if request.auth != null;
}
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.