Skip to main content

Securing storage buckets

Squid provides a @secureStorage decorator which allows you to protect your built-in storage bucket and AWS S3 buckets, ensuring that only authorized users can access your files

Squid's storage feature lets you manage files with the Squid Client SDK so you can interface with your files from any client. To learn more about using Squid storage with the Squid Client SDK, view the Squid storage documentation.

To secure a Squid storage bucket integration, use the @secureStorage decorator within a SquidService class in the Squid backend, passing the integration ID and the type of action. The following code allows full access to the built-in storage bucket:

Backend code
import { secureStorage, SquidService } from '@squidcloud/backend';

@secureStorage('all', 'built_in_storage')
allowAllAccessToBuiltInStorage(): boolean {
return true;
}

To secure a Squid storage bucket for a different storage integration, proide your integration ID in the decorator:

Backend code
import { secureStorage, SquidService } from '@squidcloud/backend';

@secureStorage('all', 'YOUR_STORAGE_INTEGRATION_ID')
allowAllAccessToStorageIntegration(): boolean {
return true;
}

The available action types are as follows:

'read'

The 'read' action includes reading metadata, generate download URLs, download files, and list directory contents.

'write'

The 'write' action includes inserting new files, updating existing files, and deleting files.

'insert'

The 'insert' action allows for inserting new files, but does not allow for updating the contents of existing files or deleting files.

'delete'

The 'delete' action allows for deleting existing files.

'all'

The 'all' action includes all available bucket actions.

Securing writes

The following function allows an authenticated user to upload, update, and delete files ing the built-in storage bucket:

Backend code
import { secureStorage, SquidService } from '@squidcloud/backend';

@secureStorage('write', 'built_in_storage')
allowAuthenticatedWrites(): boolean {
return this.isAuthenticated();
}

Securing reads

To secure reading directory names, file metadata, and generating download URLs, use the 'read' action type. The following function allows a user to generate a download URL if the file path is their user ID:

Backend code
@secureStorage('read', 'built_in_storage')
allowReadUserFiles(context: StorageContext): boolean {
// Validate if the requested action is to get a download URL
if (context.functionality !== 'getDownloadUrl') {
return false;
}

const userId = this.getUserAuth()?.userId;
if (!userId) return false;

// Check any paths the user is trying to read to verify they're in the user's directory
for (const path of context.pathsInBucket) {
if (if (!path.startsWith(`user/${userId}`)) {
return false
}
}
return true;
}

Including the StorageContext object as a parameter of the function gives the security function access to information about the action the client wants to take. The following shows an example StorageContext object:

{
integrationId: 'built_in_storage',
pathsInBucket: [ 'test/path/img.jpg' ],
action: 'read',
functionality: 'getFileMetadata'
}