stackoom
  简体   繁体   中英

Cloud Storage - Disabled Public Access Prevention, but Failed

 原文  2022-09-16 07:30:10       flutter/ google-cloud-storage/ cloud/ firebase-storage

Question

Okay, I was using Flutter and Firebase to upload data into Cloud Storage. I gained the downloadURL which can be accessible on web if people know the URL. I had enabled Public Access Prevention in Google Cloud Storage Console based on this doc and chose Access Control Uniform for this on doc .

I also had added Security Rule in Firebase Cloud Storage, so only Users with certain custom token can use it. But, it seems useless as everyone can get its downloaded URL. My question is why is that I still able to access the file if I am using the same URL which was I stored in Firestore? You can test it on this url .

Can hacker get the download URL I downloaded from Firestore? Is there a secure way to download song from Firebase Cloud Storage so hacker won't get its URL?

Thank you for helping me out.

Updated v2: I just found out that current audio file has its own AuthenticatedUrl as shown on this picture below. How can I get access to this url?

认证网址

Updated v1:

I think I haven't activated Firebase App Check. Does this feature have ability to prevent it from being accessed publicly or maybe there is other things that I have to do to be able to prevent it being accessed publicly, beside all ways I described above???

云安全规则

显示它不是公开的

谷歌云存储上的图片

2 answers

solution1
 1 ACCPTED  2022-09-16 12:46:06

Security rules only check if a user can get the download URL and do not restrict anyone from using it. You can use the getData() method instead. It doesn't return any URL and downloads the files directly and is controlled by security rules . So a user must be authenticated to fetch them.

solution2
 1  2022-09-16 14:23:30

As mentioned in the Answer :

If you're using the FlutterFire Storage library in your app, you can call getData on a reference to the file to get its data. So with that you just need to know the path to the data, and you won't need the download URL in your application. Once you have the data locally, you can create an image out of it with: Converting a byte array to image in Flutter?

Unlike download URLs, the call to getData() is checked by security rules, so you'll have to ensure that the user is permitted to access the file.

You can also refer to this Answer :

For web apps: in the JavaScript/Web SDK using a download URL is the only way to get at the data, while for the native mobile SDKs we also have getData() and getFile() methods, which are enforced through security rules.

Until that time, if signed URLs fit your needs better, you can use those. Both signed URLs and download URLs are just URLs that provide read-only access to the data. Signed URLs just expire, while download URLs don't.

For more information, you can refer to this Github issue where a similar issue has been discussed .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Google Cloud Storage Public Access How to make a google storage bucket a public website or a load balancer back end when there is an org policy of "public access prevention" How to download a python package using pip into google Cloud Storage bucket with public access and to install from there Automatically retrieving large files via public HTTP into Google Cloud Storage Cloud Dataproc can't access Cloud Storage bucket How can I upload files to Cloud Storage through Cloud Functions and use Firestore to control access to Cloud Storage? Firebase cloud functions update document with storage public URL Get Google Cloud Storage object from Public URL of an image How to enable CORS in the Cloud Storage's public URL Can you change the public URL of a file on Google Cloud Storage?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM