I need to store profile images, and in order to fetch the right profile image I'm using the userid as the filename. However, each upload I want to save it as the same filename.
I've followed the answer on https://stackoverflow.com/a/61129057/1012500 and I'm able to access the file publicly without signing in. However, my uploads still contain a access token.
I'm uploading it using flutter. Is there anything else I need to do so that I don't use the token to get the latest version of the file ?
Related
How can I retrieve Firebase storage image in flutter without getting downloadUrl and display it within some image compatible widget. I don't want my users to anyhow see download url even if they open my code
If you're using the FlutterFire Storage library in your app, you can call getData on a reference to the file to get its data. So with that you just need to know the path to the data, and you won't need the download URL in your application. Once you have the data locally, you can create an image out of it with: Converting a byte array to image in Flutter?
Unlike download URLs, the call to getData() is checked by security rules, so you'll have to ensure that the user is permitted to access the file.
I have installed Firebase extension Delete User Data which triggers of user deletion. I have mentioned the storage paths as per the provided instructions.
Where in Google Cloud Storage do you store user data? Leave empty if
you don’t use Cloud Storage. Enter the full paths to files or
directories in your Storage buckets, separated by commas. Use {UID} to
represent the User ID of the deleted user, and use {DEFAULT} to
represent your default Storage bucket. Here’s a series of examples. To
delete all the files in your default bucket with the file naming
scheme {UID}-pic.png, enter {DEFAULT}/{UID}-pic.png. To also delete
all the files in another bucket called my-app-logs with the file
naming scheme {UID}-logs.txt, enter
{DEFAULT}/{UID}-pic.png,my-app-logs/{UID}-logs.txt. To also delete a
User ID-labeled directory and all its files (like media/{UID}), enter
{DEFAULT}/{UID}-pic.png,my-app-logs/{UID}-logs.txt,{DEFAULT}/media/{UID}
Cloud Storage Paths: {DEFAULT}/profilepic/{UID}.jpeg
I am always getting the following log
File: 'profilepic/uid_1234.jpeg' does not exist in Cloud Storage, skipping
It has been report in the github issues for firebase extension. For Extension version: 0.1.7 check the temporary fix by using your storage bucket name instead of DEFAULT.
To find your bucket name:
Go to your Storage dashboard in the Firebase console.
Click the Files tab, then look in the header of the file viewer.
Copy the URL to your clipboard. It's usually in the form project-id.appspot.com.
Instead of
{DEFAULT}/profilePhotos/{UID}.jpg
use:
your-project.appspot.com/profilePhotos/{UID}.jpg
where your-project.appspot.com is your bucket name.
I am not sure the latest extension 0.1.8 fixed the issue
Source
I am using firebase to allow users to upload their files to the Storage buckets. I was using the getDownLoadURL() to fetch the publicly available URL...however, this comes with an embedded token to allow access to the file.
In my same app, I'm using the Google Document viewer which takes a URL to preview the doc. Unfortunately, the Google Doc Viewer does not work with the firebase URLs's with the embedded token.
In Google Console, on an individual file, I click to make it public. In that case, the URL is now reachable via the https://storage.googleapis.com// format...and I don't need to use the token which works great.
So, what I want to do is mark/make a file public when I'm uploading it to firebase. I have reviewed the firebase docs and there doesn't seem to be a makePublic() method like there is on the Google API's.
Is there a way I can mark a file as public during upload, so that it can be accessed without any token?
The other solution was that I could update the bucket to be accessible, but this makes it totally open to be browsed at https://storage.googleapis.com/, which I don't want to do.
The client-side Firebase APIs don't know anything about the underlying Google Cloud Platform configurations for public content in storage buckets. So that won't be an option.
You will have to involve some backend code to change the object's configuration after it's uploaded. You could set up your own API endpoint via Cloud Functions (or whatever backend you want) to run one of the Google Cloud Storage server SDKs to set the file as public. (You will probably also want some way to authorize that the user calling your API should be able to make this change.)
This question already has an answer here:
Firebase Storage getDownloadUrl's token validity
(1 answer)
Closed 4 years ago.
I'm developing a Flutter app and I don't know which is the best way to store and retrieve an image from Firebase Storage.
For example, I'm implementing a show profile picture feature:
CircleAvatar(backgroundImage: NetworkImage(profilePictureUrl))
I get profilePictureUrl from my database. I can save its value on database in two way: saving its firebase download url, or saving its firebase path.
Case 1: saving firebase download url
With getDownloadUrl I get this kind of url:
https://firebasestorage.googleapis.com/v0/b/{project}/o/{path}?alt=media&token={token}
If I save it on my database I would persist an Url with a token inside. Do you think that this token will expire sooner or later?
Case 2: saving firebase image path
If I save the image path on my database than I have the overhead of calling getDownloadUrl before any image access, for example:
Firebase Storage path value: images/users/{userId}/profile
Future<String> getProfilePictureUrl(String path) async {
var ref = _firebaseStorage.ref().child(path);
String url = (await ref.getDownloadURL()).toString();
return url.toString();
}
Dilemma
What is the best practice to handle the images upload and download with Firebase storage?
Thank you.
Case 1 - The download URL will remain valid until you manually revoke it in the console; i.e. it doesn't just expire. See Revoking Firebase storage download urls. The URL is considered 'unguessable'. Revocation exists so that you can change it if it ever became compromised.
Case 2 - You will receive the same URL every time (the same one which you can inspect in the Console) - unless, of course, someone has manually revoked it in the console and created a new one.
I am trying to build a Firebase admin utility that I can use to upload files to Firebase Storage and then return a long lived URL that I can store in the Firebase Realtime DB to access this file.
I believe I can do this in the Firebase Console by going to my project's console, clicking Storage on the left, clicking Upload File. Once the file is uploaded, I can get a URL by selecting the file in the list to open the right information pane, and then expanding the File Location section.
In that section there is a Download URL which appears to be a long lived but revocable URL containing a token of some type. Is this URL safe to store in a DB for long term storage? It does appear to be the same URL that is returned from the file upload api, which another Google Codelab (for Flutter) showed being stored in the realtime database.
However, I cannot figure out how to generate that type of URL from the Firebase Storage Management API. I am using NodeJS, but it should apply to all versions of the API AFAIK. I can only find a getSignedUrl call which does not seem to return the same URL, and appears to be time limited and containing a link to the service account...not what I want to store in a database.
let bucket = admin.storage().bucket();
bucket.upload('innovation3.jpeg', {destination: 'image_assets/innovation3.jpeg'},
function(err, file) {
file.getSignedUrl({action: 'read'},
function(err, url) {
console.log('Url: ' + url);
})
});
Is it possible to get this URL from the Management API, or do I need to use some other method. What is recommended?
Signed URLs created with the Firebase Admin SDK (backed by the the Cloud Storage SDK) are different from Download URLs created by the Firebase client SDKs. They serve the same general purpose, but you can expect them to look different from each other. They are both safe to store long term, except you should know that Signed URLs have an expiration date, which are you not specifying in your call. In that case, I don't know what the effective expiration is going to be.
Each invocation of getSignedUrl will generate a new URL. There is not just one that's unique to the file.