// docs / baas security / supabase storage

Akwụkwọ ndepụta nchekwa ihe nchekwa Supabase: ihe 22

Supabase Storage bụ ihe mkpuchi dị mkpa gburugburu bọket dabara S3 gbakwunyere otu ụdị Nchekwa Larịị-Ahịrị dị ka ọdụ data. Nke ahụ pụtara na otu nsogbu RLS na-emetụta tebụl na-emetụta ohere faịlụ — na ụfọdụ nke nchekwa-akọwapụta na-egosi mgbe ngwa ihe nkuzi koodu AI na-akwado mbugharị. Akwụkwọ ndepụta a bụ ihe 22 gafee akụkụ ise: nhazi bọket, iwu RLS, nyocha mbugharị, URL bịanyere aka, na ọcha ọrụ. Nke ọ bụla nwere ike kwadoo n'okpuru nkeji 15.

Ihe ọ bụla n'okpuru dị mkpa. Maka ụzọ RLS dị n'okpuru, hụ Sikana RLS Supabase. Maka klas nkpughe igodo dị n'akụkụ nchekwa, hụ Igodo ọrụ-eke Supabase ekpughere na JavaScript.

Nhazi bọket

Malite na ndabara dị mma. Bọket ahaziri adịghị mma na-ezigara faịlụ ma RLS gị ziri ezi ma ọ bụ na ọ dịghị.

Mee bọket ọ bụla ndabara dị ka nzuzo. Na Dashboard Supabase → Nchekwa → Bọket, debe bọket Ọha mgbanwe ka ọ pụọ ma ọ bụrụ na ị nwere ihe doro anya kpatara (akụ azụmahịa, akwụkwọ ọha enweghị PII). Bọket ọha na-agafe RLS maka ọrụ ọgụgụ — onye ọ bụla nwere aha bọket nwere ike ịdepụta ma budata.
Tọọ oke nha faịlụ siri ike na bọket ọ bụla. Dashboard → Ntọala bọket → Oke nha faịlụ. 50 MB bụ ndabara dabara adaba maka mbugharị ndị ọrụ; welie ya kpọmkwem maka ojiji vidiyo / nnukwu faịlụ. Na-enweghị oke, otu mbugharị ọjọọ nwere ike rịpịa quota nchekwa gị ma ọ bụ bandwit kwa ọnwa gị.
Machie ụdị MIME enyere ohere kwa bọket. Ndepụta ụdị MIME enyere — ndepụta enye ohere doro anya, ọ bụghị ndepụta ngọchi. image/jpeg, image/png, image/webp maka bọket onyonyo naanị. Ahapụla text/html, application/javascript, ma ọ bụ image/svg+xml na bọket ọdịnaya onye ọrụ — ha na-arụ ọrụ na nchọgharị mgbe a na-eje ozi site na URL bịanyere aka.
Jiri otu bọket kwa ụdị ọdịnaya, ọ bụghị otu bọket kekọrịtara. Ntọala kwa bọket (nha, ụdị MIME, iwu RLS) bụ granularity i nwere. Bọket user-avatars, bọket document-uploads, na bọket public-assets dị mfe ịkpọchi karịa otu bọket agwakọtara agwakọta.
Kwado nhazi CORS ma ọ bụrụ na mbugharị akụkụ-nchọgharị. Ọ bụrụ na ndị ọrụ na-ebugo ozugbo site na nchọgharị gaa na URL bịanyere aka, CORS bọket aghaghị ịdepụta isi mmalite mmepụta gị. * dị mma maka bọket ọha naanị — ọ dịghị mgbe maka bọket nwere PII onye ọrụ.

Iwu RLS na storage.objects

Supabase Storage na-edebe metadata faịlụ na tebụl storage.objects. RLS na tebụl ahụ na-achịkwa onye nwere ike ịgụ, bugo, melite, ma ọ bụ hichapụ faịlụ. Na-enweghị RLS, ọkọlọtọ ọha/nzuzo nke bọket bụ naanị nchebe gị.

Kwado na akwadoro RLS na storage.objects. SELECT rowsecurity FROM pg_tables WHERE schemaname = 'storage' AND tablename = 'objects'; aghaghị weghachi true. Supabase na-akwado ya site na ndabara na ọrụ ọhụrụ; kwadoo na e gbanyụbeghị ya.
Dee iwu SELECT akọwapụtara na auth.uid() maka bọket nzuzo. CREATE POLICY "users_read_own_files" ON storage.objects FOR SELECT USING (auth.uid()::text = (storage.foldername(name))[1]);. Mkpebi bụ idebe faịlụ n'okpuru [user-id]/[filename] ma jiri storage.foldername() ewepụta onye nwe ya na ụzọ.
Dee iwu INSERT nke na-amanye otu mkpebi ụzọ. CREATE POLICY "users_upload_own" ON storage.objects FOR INSERT WITH CHECK (auth.uid()::text = (storage.foldername(name))[1]);. Na-enweghị WITH CHECK, onye ọrụ nwere njirimara nwere ike ibugo na nchekwa onye ọzọ.
Tinye iwu UPDATE na DELETE ma ọ bụrụ na ngwa gị na-akwado ndezi ma ọ bụ mkpochapụ faịlụ. Iwu ọ bụla chọrọ nke ya. Ịhapụ DELETE pụtara na ndị ọrụ enwere njirimara enweghị ike iwepu faịlụ ha; ịhapụ UPDATE pụtara na ndegharị faịlụ na-ada na-emeghị uzu.
Nwalee ohere onye-na-onye n'oge nchọgharị abụọ. Banye dị ka Onye Ọrụ A, bugo faịlụ, detuo ụzọ. Banye dị ka Onye Ọrụ B na nchọgharị ọzọ, gbalịa ịchọta faịlụ site na REST API. Azịza aghaghị ịbụ 403 ma ọ bụ 404, ọ dịghị mgbe 200.

sql

-- Confirm RLS on storage.objects
SELECT rowsecurity
FROM   pg_tables
WHERE  schemaname = 'storage' AND tablename = 'objects';

-- SELECT policy: scope reads to the owning user's folder.
CREATE POLICY "users_read_own_files"
  ON storage.objects
  FOR SELECT
  USING (auth.uid()::text = (storage.foldername(name))[1]);

-- INSERT policy: enforce the [user-id]/[filename] path convention.
CREATE POLICY "users_upload_own"
  ON storage.objects
  FOR INSERT
  WITH CHECK (auth.uid()::text = (storage.foldername(name))[1]);

Nyocha mbugharị

Nyochaa mbugharị ọ bụla n'akụkụ sava, ọbụlagodi mgbe bọket nwere njedebe MIME na nha. Ngwa ihe nkuzi koodu AI na-emepụta nyocha onye ahịa naanị site na ndabara; nke ahụ adịghị echebe ihe ọ bụla.

Lelee ụdị MIME ọzọ n'akụkụ sava site na bytes faịlụ n'ezie, ọ bụghị isi Content-Type. Jiri ọba akwụkwọ dị ka file-type (Node) ma ọ bụ magic-byte sniffing. Onye na-awakpo nwere ike ịkwupụta Content-Type: image/jpeg na faịlụ nke n'ezie bụ payload HTML / JavaScript polyglot.
Wepu metadata EXIF na onyonyo ebugoro. EXIF nwere ike ịnwe nhazi GPS, ọnụọgụgụ usoro ngwaọrụ, na akara oge. Jiri sharp nwere .withMetadata(false) ma ọ bụ exif-parser wepụ tupu nchekwa.
Jụ SVG nwere mkpado script ma ọ bụ ndị njikwa onload. SVG bụ XML — ọtụtụ ngwa AI mepụtara na-enye ohere mbugharị SVG dị ka "naanị onyonyo." Jiri DOMPurify n'akụkụ sava ma ọ bụ jụ mbugharị SVG kpamkpam.
Jiri aha faịlụ nke a kwadoro, nke a na-enweghị ike ịkọ. Edebela aha faịlụ izizi. Jiri UUID ma ọ bụ hash ọdịnaya faịlụ. Aha faịlụ izizi na-ezipụ ("passport_scan_2024_01_15.jpg") na aha amaara ama na-enye ohere ngụgharị.

URL bịanyere aka

URL bịanyere aka bụ otu ndị ahịa si enweta bọket nzuzo. Mgbe njedebe, oke bọket, na ihe edere edere dị mkpa.

Mee ka njedebe URL bịanyere aka ndabara bụrụ otu awa ma ọ bụ ihe na-erughị otu awa. SDK JS Supabase nke createSignedUrl(path, expiresIn) na-ewere sekọnd. Ejila ụkpụrụ dị ka 31536000 (otu afọ) — URL na-aghọ njikọ ọha-ọha na-adịgide adịgide.
Edebela URL bịanyere aka n'ọdụ data gị. Mepụta ndị ọhụrụ n'akụkụ sava na arịrịọ ọ bụla. URL bịanyere aka edebere nwere njedebe otu afọ nke na-ezipụta site na nhicha ọdụ data na-enye ohere ogologo oge.
Edekọ mmepụta URL bịanyere aka, ọ bụghị naanị mbugharị faịlụ. Ọ bụrụ na ị chere mmebi mgbe e mesịrị, ị chọrọ ịmara onye mepụtara URL ole mgbe. Edekọ auth.uid() + bọket + ụzọ ihe + akara oge.
Jiri nhọrọ downloadAs mgbe na-eje ozi faịlụ ndị ọrụ bugoro. createSignedUrl(path, expiresIn, { download: '.jpg' }) na-amanye isi Content-Disposition: attachment ka faịlụ budata kama ime — na-emeri klas mmegharị HTML / SVG / HTML-n'ime-PDF.

Ọcha ọrụ

Nhazi nchekwa na-agbanwe ka oge na-aga. Ihe ọrụ anọ ndị a na-edebe elu siri ike.

Nyochaa bọket kwa ọnwa atọ. Dashboard → Nchekwa → Bọket. Kwado ọnọdụ ọha/nzuzo na ndepụta ụdị MIME dabara na ihe ngwa na-atụ anya. Bọket emepụtara "oge ụfọdụ" na-aghọ na-adịgide adịgide ma ọ bụrụ na ọ dịghị onye wepụrụ ha.
Lelee ọrụ ndepụta na-enweghị aha. Ndekọ Nchekwa (Dashboard → Ndekọ → Nchekwa) na-edekọ arịrịọ LIST. Iwulite arịrịọ ndepụta enweghị aha megide bọket nzuzo pụtara na mmadụ na-anyocha ya site n'èzí.
Tọọ amụma nchekwa maka mbugharị nwa oge. Bọket nwa oge (mfegharị onyonyo, mbugharị ekpebi) kwesịrị ihichapụ akpaghị aka mgbe awa 24-72 site na ọrụ akwado. Nchekwa enweghị njedebe bụ ihe enwere ike ime n'okpuru ọrụ obere data GDPR / CCPA.
Gbaa nyocha FixVibe kwa ọnwa. Nyocha baas.supabase-storage-public na-anwale maka bọket na-aza GET + LIST enweghị aha. A na-agbakwunye bọket ọhụrụ; ndị ochie na-agbanwe ọhụụ — naanị nyocha na-aga n'ihu na-ejide mgbanwe ahụ.

Nzọụkwụ na-esote

Gbaa nyocha FixVibe megide URL mmepụta gị — ndepụta nchekwa na-enweghị aha na-egosi n'okpuru baas.supabase-storage-public. Jikọta akwụkwọ ndepụta a na Sikana RLS Supabase maka ahịrị tebụl na Igodo ọrụ-eke Supabase ekpughere na JavaScript maka mmekọrịta nkpughe igodo. Maka nhazi adịghị mma nchekwa gafee ndị na-eweta BaaS ndị ọzọ, hụ Sikana nhazi adịghị mma BaaS.