Hi I want to clarify whether Firebase storage ref path can be obtained from the download url for the purpose of security
Yes, the object path is embedded right there in the download URL, which you can see if you examine it carefully. There is even an API that converts a download URL into a reference.
Related
How can I retrieve Firebase storage image in flutter without getting downloadUrl and display it within some image compatible widget. I don't want my users to anyhow see download url even if they open my code
If you're using the FlutterFire Storage library in your app, you can call getData on a reference to the file to get its data. So with that you just need to know the path to the data, and you won't need the download URL in your application. Once you have the data locally, you can create an image out of it with: Converting a byte array to image in Flutter?
Unlike download URLs, the call to getData() is checked by security rules, so you'll have to ensure that the user is permitted to access the file.
Per these docs, I understand once we have the firebase path in storage, we can get the download url by calling getDownloadUrl() on this path's ref. My question is all the docs suggest to get the download url first then download file data based on these image, but can we persist this download url in our realtime db for the file, so we don't have to call getDownloadUrl() each time?
Current file upload and download workflow ->
Upload:
1. upload file to storage in specific path.
2. store path in realtime DB to persist for future downloading purposes
Download
1. get object from realtime DB and retrieve storage path
2. get storage object
3. get url from getDownloadUrl() on that object
4. download data from url
Better upload/download workflow ->
Upload:
1. upload file to storage in specific path.
2. get download url from storage object
3. store download path in realtime DB to persist for future downloading purposes
Download
1. get object from realtime DB
2. get download url stored in object
3. download data from download url
What is getDownloadUrl() doing under the hood and is the given url static?
The download URL is meant to be persisted. It's a waste of time for clients to call it every time. This is illustrated consistently in Firebase sample code.
This question already has an answer here:
Firebase Storage getDownloadUrl's token validity
(1 answer)
Closed 4 years ago.
I'm developing a Flutter app and I don't know which is the best way to store and retrieve an image from Firebase Storage.
For example, I'm implementing a show profile picture feature:
CircleAvatar(backgroundImage: NetworkImage(profilePictureUrl))
I get profilePictureUrl from my database. I can save its value on database in two way: saving its firebase download url, or saving its firebase path.
Case 1: saving firebase download url
With getDownloadUrl I get this kind of url:
https://firebasestorage.googleapis.com/v0/b/{project}/o/{path}?alt=media&token={token}
If I save it on my database I would persist an Url with a token inside. Do you think that this token will expire sooner or later?
Case 2: saving firebase image path
If I save the image path on my database than I have the overhead of calling getDownloadUrl before any image access, for example:
Firebase Storage path value: images/users/{userId}/profile
Future<String> getProfilePictureUrl(String path) async {
var ref = _firebaseStorage.ref().child(path);
String url = (await ref.getDownloadURL()).toString();
return url.toString();
}
Dilemma
What is the best practice to handle the images upload and download with Firebase storage?
Thank you.
Case 1 - The download URL will remain valid until you manually revoke it in the console; i.e. it doesn't just expire. See Revoking Firebase storage download urls. The URL is considered 'unguessable'. Revocation exists so that you can change it if it ever became compromised.
Case 2 - You will receive the same URL every time (the same one which you can inspect in the Console) - unless, of course, someone has manually revoked it in the console and created a new one.
I am trying to build a Firebase admin utility that I can use to upload files to Firebase Storage and then return a long lived URL that I can store in the Firebase Realtime DB to access this file.
I believe I can do this in the Firebase Console by going to my project's console, clicking Storage on the left, clicking Upload File. Once the file is uploaded, I can get a URL by selecting the file in the list to open the right information pane, and then expanding the File Location section.
In that section there is a Download URL which appears to be a long lived but revocable URL containing a token of some type. Is this URL safe to store in a DB for long term storage? It does appear to be the same URL that is returned from the file upload api, which another Google Codelab (for Flutter) showed being stored in the realtime database.
However, I cannot figure out how to generate that type of URL from the Firebase Storage Management API. I am using NodeJS, but it should apply to all versions of the API AFAIK. I can only find a getSignedUrl call which does not seem to return the same URL, and appears to be time limited and containing a link to the service account...not what I want to store in a database.
let bucket = admin.storage().bucket();
bucket.upload('innovation3.jpeg', {destination: 'image_assets/innovation3.jpeg'},
function(err, file) {
file.getSignedUrl({action: 'read'},
function(err, url) {
console.log('Url: ' + url);
})
});
Is it possible to get this URL from the Management API, or do I need to use some other method. What is recommended?
Signed URLs created with the Firebase Admin SDK (backed by the the Cloud Storage SDK) are different from Download URLs created by the Firebase client SDKs. They serve the same general purpose, but you can expect them to look different from each other. They are both safe to store long term, except you should know that Signed URLs have an expiration date, which are you not specifying in your call. In that case, I don't know what the effective expiration is going to be.
Each invocation of getSignedUrl will generate a new URL. There is not just one that's unique to the file.
My Requirement is to generate signed Url for drive uploaded document
which will be shared with clients so that they can able to download
files form drive without any authentication.
As newbie to use drive API for first time, I am using .NET libraries to call drive API. I have setup the service account for Google API as mentioned in the document. I am able to make API call using service account and able to upload the files. I reffered to How to sign url in .net for google cloud storage to create the sign url. but after accessing the mentioned url receiving following error:
<Error> <Code>InvalidBucketName</Code> <Message>The specified bucket
is not valid.</Message> </Error>
I am not sure about GoogleBucketName and GoogleBucketDir. Can anybody tell me where i would get GoogleBucketName & GoogleBucketDir. Currently i am setting GoogleBucketName to Prject Name i created in google developer console https://console.developers.google.com/ and GoogleBucketDir as empty string. Thanks in advance.
After you upload a file you are returned a file resource.
File resource contains a field called alternatelink
alternateLink string A link for opening the file in a relevant Google
editor or viewer.
You can share this link with other users they will be able to open the file in drive they should also be able to download it from drive.
There is another field called downloadUrl which might let them download it but I haven't tested that one personal. If I remember correctly downloadUrl was null sometimes so I didn't use it.
Console.WriteLine("Alternate link: " + item.AlternateLink);
Google Drive API Link to file Tutorial