设置Firebase存储规则,以观察React Firebase中的一个状态
是否可以设置壁炉存储规则来观察一块状态的价值?
我没有为我的应用使用Firebase Auth,我只想将存储桶用于文件存储。我的应用程序中有一个状态变量:
const [state, setState] = useState({
currentUser: null,
isAuthed: false
});
如果用户被认证,则iSauthed值将翻转为true。因此,可以编写看起来像这样的规则集:
rules_version = '2';
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read, write: if state.isAuthed === true;
}
}
}
Is it possible to set a firebase storage rule to watch the value of a piece of state?
I am not using firebase auth for my app I just want to use a bucket for file storage. I have a state variable within my app:
const [state, setState] = useState({
currentUser: null,
isAuthed: false
});
If the user is authenticated the isAuthed value will flip to true. Therefore would it be possible to write a rule set that looks as so:
rules_version = '2';
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read, write: if state.isAuthed === true;
}
}
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您的帖子提出了两个问题:
如何将数据传递给存储规则?
如何在不使用Firebase身份验证的情况下检查身份验证状态?
✉️将数据传递给存储规则
文件路径
您可以将文件保存到路径
/userfiles/authenticated /...向文件发出信号,以指示文件已由身份验证的用户上传。在存储规则中,您可以通过匹配条款:自定义元
数据上传时,您可以设置自定义元数据 >:
然后您可以阅读元数据在存储规则
中索赔或自定义令牌
自定义索赔或//firebase.google.com/docs/auth/admin/create-custom-tokens“ rel =“ nofollow noreferrer”>自定义令牌允许以安全的方式向用户分配数据,然后将此数据传递给存储规则。
自定义索赔需要使用Firebase身份验证,但是自定义令牌允许您在不使用Firebase身份验证的情况下从服务器分配令牌。
要读取数据:
Your post raises two questions:
How to pass data to storage rules?
How to check for authentication status without using firebase authentication?
✉️ Passing data to storage rules
File path
You could save your file to the path
/userfiles/authenticated/...to signal that the file was uploaded by an authenticated user. In the storage rule, you have access to the path through the match clause:Custom metadata
When uploading a file you can set custom metadata this way:
Then you can read the metadata in the storage rules:
Custom claims or custom tokens
Custom claims or custom tokens allow assigning data to a user in a secure way, this data is then passed to the storage rule.
Custom claims necessitate using firebase authentication, but custom tokens allow you to assign a token from your server without using firebase authentication.
To read the data:
???? Checking authentication status
Use custom token
The easiest way to ensure only authenticated users can upload is through custom claims or custom token, as detailed above.
Cryptographic trick
⚠️ For fun only, use at your own risks
Let's roll our own crypto protocol to have a secure way of allowing upload only to authenticated users. NB: this does not prevent read access because we cannot provide metadata.
1- An user requests an upload token from your server:
2- You pass the upload token to the storage rule via the file path or custom metadata as described above
3- In the storage rule, you validate the hash:
4- profit: only users who have an upload token can upload a file, as a bonus you also enforce the file path, and you could also enhance the token with a timestamp, and enforce some kind of rate limit.