Is there a way to allow only a firebase function to upload files to firebase storage without authentication?
If you upload to files to Storage in Cloud Functions for Firebase, you are using the Node.js SDK for Cloud Storage and your code accesses Storage with elevated privileges. This SDK does not follow Firebase's security rules for your Storage bucket, so it can upload files no matter what rules you set.
So if you use this rule:
allow write: if false;
Your Cloud Functions will be able to upload files, but nobody using a client-side SDK in your app will be able to.
Related
I'm trying to implement a system that allows react-native clients to upload files to a specific folder in Cloud Storage and allows clients to download from them. I can't do this directly from the client because I first need to query Firestore to validate that the user is 'friends' with the owner of the folder which will allow for read/write permissions.
I decided to use Cloud Functions as a middle layer to encapsulate this business logic and I expected to also be able to use it as a middle layer to upload the files. However, I feel like I may be misunderstanding how to best use these services together to solve this problem.
Current Plan:
Client uploads file to Cloud Function (assuming they are permitted after Cloud Function queries Firestore and validates)
Cloud Function uploads file to Cloud Storage
Client can then request file from Cloud Function, which validates permissions using Firestore and downloads file from CloudStorage
Cloud Function sends file to client
Questions:
Can/Should I use Cloud Functions in this way as a middle layer to upload files after validating permissions store in Firestore?
Is there an alternative solution using firebase that would mitigate the 10MB download limit with Cloud Functions but still allow me to authenticate uploads/downloads to and from Cloud Storage using my custom business logic on relationships in Firestore?
Any help or guidance here is appreciated! I'm very new to firebase, cloud architecture, and architecture in general.
This is definitely a valid and technically feasible approach. Whether you should do it, only you can determine of course.
An alternative is to use Firebase Storage's security rules to enforce the access control on the files. But you won't be able to read anything from Firestore in those rules, so you'll have to ensure everything needed to grant/deny access is in the path of the requested file, in the file's metadata, and/or in the user's token.
Even if you implement the download of files in Cloud Functions, you can still perform uploads through Firebase. You could in that case for example have the user write to a temporary location, which then triggers a Cloud Function that can do whatever additional checks you want on the file.
Is it possible to setup a Firebase cloud function that serves a file from a Firebase cloud storage bucket to avoid using the long firebasestorage.googleapis.com link
Yes, that is possible. In that case you can even go without download URLs, since in Cloud Functions you'll have administrative access to all files in your Cloud Storage bucket anyway.
I have a backend in golang and was wondering how I can connect to Firebase storage to create/delete buckets and add/delete files. Can I use the Admin sdk. I found the client storage lib in golang for google cloud storage. Can I use that? And whats the difference between firebase storage and google cloud storage?
The app I'm working on connects to Firebase Storage Buckets via the Admin SDK, but we're using Firebase Functions in Node.js. However, it looks like the Admin SDK in Go offers the same Storage access, and it's documented (with example code in Go) here:
https://firebase.google.com/docs/storage/admin/start
I like using Admin in Firebase, because you don't have to worry about project configuration and authentication to the various services. Firebase storage is google cloud storage, but with a nice wrapper and well-integrated into other aspects of your Firebase project. You get some limitations as a trade-off for all of that convenience, but unless you run into a feature of Google Cloud that you absolutely need and doesn't exist in Firebase, I'd stick with the Firebase (and Admin) version.
I have a node.js client that uses firebase authentication. Now I want to access Google Cloud Storage, however the firebase SDK for node.js does not include GCS. Using #google-cloud/storage works but only with anonymous access. How do I apply the firebase credential to #google-cloud/storage so that GCS access is in the context of the logged-in user?
Node.js is a server that operates in a privileged environment. The Firebase Admin SDK (aka the Node SDK) talks to other services via a service account.
Firebase Authentication enables client-side authentication. The JavaScript SDK is the client-side SDK.
There is no Node.js client SDK for Firebase that accesses Cloud Storage. Since both the Firebase Admin SDK and the Google Cloud Platform client for Node.js use administrative privileges to access Cloud Storage, it looks like those won't be an option for you either.
The two options I can think of are:
Use the Admin SDK in a Cloud Function, and expose the files from Cloud Storage that way.
Use the REST API for Cloud Storage.
I admit that neither is trivial, so I hope somebody knows a better solution.
I'm new to firebase cloud storage. Quick question: Are firebase cloud-storage read rules meant to apply to SDK read access, or http (get) URL access (via the URL returned by the SDK after a write), or both?
May have followup questions depending on how this question is answered.
Thanks.
The Firebase security rules for Cloud Storage apply to users accessing Cloud Storage through the Firebase SDK.
The rules do not apply to users accessing Cloud Storage through a download URL, which is an unguessable URL that provides read-only access to files.
The rules also do not apply to users accessing Cloud Storage through one of the native Cloud Storage SDKs, which run with administrative permissions and are typically only run on app servers or otherwise trusted environments.