Is there any possibility to restrict the firebase storage URLs to access from a specific domain.
I have tried downloadURL() and signedURL() but both are publicly accessible.
Related
Firebase provide 2 free domains per project, but is it possible to upload DNS records?
I want to enable Firebase Dynamic Links. Then I need to upload DNS records but I can'T find how to do it.
Anybody knows?
Firebase does not provide DNS service. You must bring your own DNS provider.
Once you have your own DNS, you can connect it to Dynamic Links using the instructions in the documentation.
If you are using Firebase Hosting, you can connect it to Firebase Hosting using the instructions provided in the documentation.
DNS services are normally provided by your domain registrar, so the company where you registered your domain. Firebase doesn't offer domain registration services, so it doesn't allow you to manage DNS records either. Check with the place where you registered your domain for how to manage the DNS for that domain too.
I know that using firebase in a web app requires putting some public config keys in the front end code and that its safe to do so. But I am confused about how firebase would prevent malicious people from just copying those config keys and pasting them in their own sites and initializing the firebase analytics sdk there to try to spoil my analytics data.
In firebase auth, we also give some whitelisted domains and authentication services are only allowed on those domains by firebase. So even if we try to access those auth services from another domain, firebase won't allow it.
So how will firebase differentiate in case of analytics? If the same config keys are put in webpages on two sites abc.com and xyz.com and abc.com is my actual site whose traffic is supposed to be tracked, how will firebase know and discard data from the bad website xyz.com if the person who created xyz just copied my config from my front end code and initialized firebase.analytics() on their site to spoil my analytics?
I have a Firebase project where authenticated users can upload photos to storage bucket. I have my Google Cloud CDN setup properly to the storage bucket. Obviously the bucket contents are available to the world now. How may I use Firebase authentication with Google Cloud CDN?
You cannot directly protect Cloud CDN content with Firebase Authentication, but you can prevent content served by Cloud CDN from being accessed publicly.
Signed URLs can be used to generate per-user, time-limited URLs that will only serve the content to that given user. Your application backend can sign and then issue these signed URLs.
Users trying to access content without a Signed URL will receive a HTTP 403 unauthorized.
In setting up our own subdomain to handle Firebase Dynamic Links using these docs, the wizard says to put the A records at example.com in our DNS. I'm getting pushback from our network administrators who are wary of creating an A record at the root of our domain, which is a large e-commerce web site.
A couple of concerns/questions about this:
The IP addresses required (151.101.1.195 and 151.101.65.195) point to non-Google servers (looks like Fastly), which is a bit alarming - it seems strange that Google would outsource their deep link hosting.
We don't want all of our e-commerce traffic (coming through example.com) to be subject to these A records. Is it possible to put the A records at link.example.com instead?
The Firebase documentation on using a custom domain for dynamic links has this note:
To use a custom domain for Dynamic Links, the domain must point to Firebase Hosting. If you have a domain you want to use with Dynamic Links and the domain points to a different host, you can either move to Firebase Hosting or create a subdomain hosted by Firebase, which you can use for Dynamic Links.
So you can indeed use a subdomain for the dynamic links. In that case, just set up the subdomain in Firebase hosting. You'll need the same TXT record as normal, to prove that you have access to the domain, but then just map the subdomain (e.g. links) for the A record.
Here is the answer I received from Firebase support about these my two concerns/questions:
Regarding Fastly, Firebase uses this subprocessor to deliver content and managed services on Firebase Hosting. For more details you could check the list of Subprocessors used by Firebase on this doc.
It's possible to use a subdomain as your Firebase project's FDL domain. You'd need to create a subdomain (link.example.com) on your domain's DNS provider and connect it to Firebase Hosting. You could check out this guide for more details.
I have a JS API that uses firebase internally for DB operations, API will be used on different website domains.
I need to restrict DB operations calls from authorized domains only.
I cannot restrict by UID as non signed user also need to access website.
I believe i need to figure out some way by anonymous user or else any better way, any suggestions ?
There is no way to restrict traffic to the Firebase Database to a specific domain or list of domains. Using Firebase Authentication is the only way to control access to your data.