I'm using google storage public bucket for serving binary resources on the web right now.
As the docs mentioned
https://cloud.google.com/storage/docs/cross-origin
The authenticated browser download endpoint storage.cloud.google.com does not allow CORS requests. Note that the Google Cloud console provides this endpoint for each object's public URL link.
So in order to allow CORS, I need to put my proxy server in front.
I'm not sure there is a way I don't know to enable me to fetch resources directly from Cloud Storage with CORS but without having a relay server.
It looks like you're trying to use the URLs for objects that you're getting from the console. Those URLs use the domain storage.cloud.google.com. Because that domain allows callers to use their Google account cookies for authentication, its capabilities are intentionally kept very limited, and one such limitation is blocking cross-origin requests.
Instead, configure CORS using the standard Cloud Storage tools, then link your users to a URL like https://storage.googleapis.com/bucket_name/object_name, which will work fine with CORS. That will only work for publicly readable objects, but that sounds like what you've got.
Related
I am relying on the getBlob function to download files from Cloud Storage for Firebase directly from the browser. For this to work, I have allowlisted my app's origin in my Cloud Storage bucket. Everything works fine and is as expected.
However, I am also using Firebase Hosting's preview channels, each creating a new, unique origin. In consequence, for the getBlob function to work, I need to re-configure CORS for every new preview channel (and remove configurations for obsolete preview channels).
Is there a way to configure CORS of Cloud Storage buckets to automatically allow origins from all preview channels?
There is no way to automatically allowlist all preview channels (without allowlisting all origins. However, something you could do is use the CORS configuration API and the Firebase Hosting REST API to script automatically adding all channels after each deploy.
How this would work is essentially you would call ListChannels on your site, then use the resulting URLs from that list to populate the CORS configuration via the Cloud Storage API.
I have an API key specifically for Firebase and I have it restricted like so:
However, when I connect to Firebase from a different website (on front-end side) it still works.
I've tried connecting Google Maps and it doesn't work (because of the wrong referrer) but Firebase works.
How can I restrict Firebase access to specific web domains?
Note: I'm not using Firebase Auth, I'm only using Firestore as a database.
Double check if your domain accepts HTTP and HTTPS because both require separate restrictions. Also, try adding restriction that includes a wildcard path.
Here's an example:
https://www.test-domain.com
https://www.test-domain.com/*
http://www.test-domain.com
http://www.test-domain.com/*
Reference: https://cloud.google.com/docs/authentication/api-keys#adding_http_restrictions
I am using firebase to allow users to upload their files to the Storage buckets. I was using the getDownLoadURL() to fetch the publicly available URL...however, this comes with an embedded token to allow access to the file.
In my same app, I'm using the Google Document viewer which takes a URL to preview the doc. Unfortunately, the Google Doc Viewer does not work with the firebase URLs's with the embedded token.
In Google Console, on an individual file, I click to make it public. In that case, the URL is now reachable via the https://storage.googleapis.com// format...and I don't need to use the token which works great.
So, what I want to do is mark/make a file public when I'm uploading it to firebase. I have reviewed the firebase docs and there doesn't seem to be a makePublic() method like there is on the Google API's.
Is there a way I can mark a file as public during upload, so that it can be accessed without any token?
The other solution was that I could update the bucket to be accessible, but this makes it totally open to be browsed at https://storage.googleapis.com/, which I don't want to do.
The client-side Firebase APIs don't know anything about the underlying Google Cloud Platform configurations for public content in storage buckets. So that won't be an option.
You will have to involve some backend code to change the object's configuration after it's uploaded. You could set up your own API endpoint via Cloud Functions (or whatever backend you want) to run one of the Google Cloud Storage server SDKs to set the file as public. (You will probably also want some way to authorize that the user calling your API should be able to make this change.)
I'm working on a web app running on firebase services. I've created an express back-end running on Firebase Cloud Functions and hosted on Firebase Hosting. I am trying to add authentication so only users with permissions can access admin pages.
I tried implementing session cookies as described here. It was successful but unfortunately was vulnerable to CSRF attacks since Cloud Functions strips all cookies without the name __session from incoming requests so the proposed csrfToken cookie solution is impossible.
I then considered using Auth's persistence in the client's local storage and sending the token in the header of a GET request. Unfortunately, I have only found tutorials on how to do this for requests within scripts e.g. for APIs, not for GET requests directly from the browser to serve a page.
It seems that there should be a simple solution. Am I missing something? Is cloud functions not meant for serving web apps like this? Is there another way to protect against CSRF without cookies? If Cloud Functions still allows the __session cookie is it meant to be used for storing the user's Auth Token and if so does it protect against CSRF anyway?
Thanks
In the firebase Cloud Function you can implement your own Auth. However Firebase provided its own Authentication method. In the Cloud Function, it is simple use the ‘functions.auth.user().onCreate() ‘ method. You can refer to Extend Firebase Authentication with Cloud Functions documentation for samples.
As for your GET question, are you asking about how to programmatically extract the parameter from the URL? It'ss similar to this; you can pull the URL and substring the part that contain the token.
Is it possible to protect firebase http triggered functions without auth and accept calls only from my firebase hosted app?
I want my web app to call firebase functions with unauthenticated users but I don't want this functions to be accessible from anywhere else.
This is not possible to enforce. All of your HTTP functions are accessible by all other clients out there, regardless of where they are in the world (unless something in their network is blocking them).
You could certainly make an attempt to guess if a request did not originate from your web site (by looking at the referrer header), but that information can be easily spoofed by an attacker.