Securing storage buckets
The @secureStorage decorator which allows protects your storage buckets so only authorized users can access your files.
Squid's storage feature lets you manage files with the Squid Client SDK so you can interface with your files from any client. To learn more about using Squid storage with the Squid Client SDK, view the Squid storage documentation.
To secure a Squid storage bucket integration, use the @secureStorage decorator within a SquidService class in the Squid backend, passing the integration ID and the type of action. The following code allows full access to the built-in storage bucket:
import { secureStorage, SquidService } from '@squidcloud/backend';
@secureStorage('all', 'built_in_storage')
allowAllAccessToBuiltInStorage(): boolean {
return true;
}
To secure a Squid storage bucket for a different storage integration, proide your integration ID in the decorator:
import { secureStorage, SquidService } from '@squidcloud/backend';
@secureStorage('all', 'YOUR_STORAGE_INTEGRATION_ID')
allowAllAccessToStorageIntegration(): boolean {
return true;
}
The available action types are as follows:
'read'
The 'read' action includes reading metadata, generate download URLs, download files, and list directory contents.
'write'
The 'write' action includes inserting new files, updating existing files, and deleting files.
'insert'
The 'insert' action allows for inserting new files, but does not allow for updating the contents of existing files or deleting files.
'delete'
The 'delete' action allows for deleting existing files.
'all'
The 'all' action includes all available bucket actions.
Securing writes
The following function allows an authenticated user to upload, update, and delete files ing the built-in storage bucket:
import { secureStorage, SquidService } from '@squidcloud/backend';
@secureStorage('write', 'built_in_storage')
allowAuthenticatedWrites(): boolean {
return this.isAuthenticated();
}
Securing reads
To secure reading directory names, file metadata, and generating download URLs, use the 'read' action type. The following function allows a user to generate a download URL if the file path is their user ID:
import { secureStorage, SquidService, StorageContext } from '@squidcloud/backend';
@secureStorage('read', 'built_in_storage')
allowReadUserFiles(context: StorageContext): boolean {
// Validate if the requested action is to get a download URL
if (context.functionality !== 'getDownloadUrl') {
return false;
}
const userId = this.getUserAuth()?.userId;
if (!userId) return false;
// Check any paths the user is trying to read to verify they're in the user's directory
for (const path of context.pathsInBucket) {
if (if (!path.startsWith(`user/${userId}`)) {
return false
}
}
return true;
}
Including the StorageContext object as a parameter of the function gives the security function access to information about the action the client wants to take. The following shows an example StorageContext object:
{
integrationId: 'built_in_storage',
pathsInBucket: [ 'test/path/img.jpg' ],
action: 'read',
functionality: 'getFileMetadata'
}