I want to create a Udemy like video platform where a user can see all videos but can watch videos only that he has purchased.
I am making a rest call to get the videos from the storage bucket from an angular application, using Firebase authentication here. In my GET request to storage bucket I am passing the access token that I got from Firebase authn.
Does this access token can be used to determine scope of the user to access video in a bucket?
Assume if I have given read access for a video in a bucket for a specific user, using the access token can I get the video? But every time I tried it shows unauthorized. Is there any other way to verify users access to storage bucket object.
Google recommend to not use ACL because it's hard to manage and to have a global view on the authorization.
In most cases, Cloud Identity and Access Management (Cloud IAM) is the recommended method for controlling access to your resources.
Caution: Permissions can be granted either by ACLs or Cloud IAM policies. In general, permissions granted by Cloud IAM policies do not appear in ACLs, and permissions granted by ACLs do not appear in Cloud IAM policies. The only exception is for ACLs applied directly on a bucket and certain bucket-level Cloud IAM policies, as described in Cloud IAM relation to ACLs.
IMO, the best pattern is to have a database on your side with the file on GCS allowed per user. You can store these in Firestore: affordable, pay as you use, generous free tier. For downloading the video, you can generate a temporarily access to the user by generating a signedUrl.
As per mention Guillaume Cloud Storage use the ACL pattern in order to have a control to the access of the resources stored in their buckets.
Nevertheless, when you need to storage wide objects per user in this case a video, you can store these in Firestore: affordable, pay as you use, generous free tier. This is a very suitable option since Firestore can use as another resource
Is recommended for this scenario generate a signed URL
Related
My application has Firebase users (i.e. users created in Firebase Authentication, NOT in Firebase IAM or in GCP IAM). These users are not linked to a G Mail or Google Workspaces (formerly G Suite) account, and are not part of my organization.
I need to grant each of these users write access (not read) to a Cloud Storage bucket (1 user = 1 bucket), while not allowing any kind of access to that bucket to unauthenticated users or to other Firebase users.
How would I go about doing that?
I have tried verifying auth and generating a presigned URL from my Cloud Functions backend, but it has turned out a bit problematic with uploading thousands of files, which is why I'm looking at alternatives.
Time-limited access is not a requirement for me either way (I'm fine with users only having a few hours of access or having forever access). Also, if one bucket per user is too problematic, one folder per user, all inside the same bucket, would also be acceptable.
I know that in AWS I could use Cognito User Pools for the users, and then link the users to an Identity Pool so they can obtain temporary AWS credentials with the required scope, but I haven't been able to find the equivalent in GCP. The service comparison table hasn't helped in this regard.
I realize I might have the wrong idea in my head, coming from AWS. I don't mind if I have to link my Firebase users to GCP IAM users or to Firebase IAM users for this, though to me it sounds counter-intuitive, and I haven't found any info on that either. Maybe I don't even need GCP credentials, but I haven't found a way to do this with a bucket ACL either. I'm open to anything.
Since your users are signed in with Firebase Authentication, the best way to control their access is through security rules that sit in front of the files in your storage bucket when you access them through the Firebase SDK.
Some example of common access patterns are only allowing the owner of a file to access it or attribute or role based access control.
When implementing security rules, keep in mind that download URLs that you can generate through the Firebase SDK (if have read access to a file) provide public read-only access to the file too. These download URLs bypass the rules, so you should only generate them for files that you want to be publicly access to anyone with that URL.
in the last few days I have looked into Google Cloud Storage Buckets. I would like to know how to authenticate and authorize users when accessing data, preferably without the use of a backend.
Context: I have an app with the following requirements: Authenticated end users should be able to upload data to a (or their) bucket, with the default read access being scope to the user. At any point, the owner of the bucket should allow the bucket contents to be available to the public (publish bucket contents, read only).
End users are currently being authenticated with JWTs on the browser.
I have looked at the different ways of controlling access to Storage Buckets.
To my understanding:
IAM is unsuitable as it is meant for Google Accounts and should be used within the company, not to authenticate end users (clients)
ACLs are seemingly not recommended and are described as a legacy way meant for interoperability with S3
Signed URLs are "ok" for uploads, but I would rather have an actually authenticated way of uploading.
What's totally unclear to me: what access control method can be used to authenticate my end users (pref. with JWTs) especially for reading data?
This seems like an issue everyone should face, but I can't seem to find good info? On a side note: I am aware that Firebase exists for this reason, I just want to know how to tackle this on GCP.
There is no other solution than signed URL and a backend (I know that breaks your requirement) that check the authentication and generate that signedURL (on only the relevant/authorized files)
When implementing this purely in GCP, you'll typically end up implementing your own auth solution for your clients, and then your own authorization model in your server-side code.
If you want to not implement this yourself, using Firebase for your Cloud Storage access would be the way to go. This implements client-side authentication and server-side security rules to control access.
In Apple's iCloud, there's a Private bucket where the user can store data, using an iOS app created by a third party, that no one else, including the iOS app creator, can see.
Is there a similar mechanism in Google Cloud Platform?
First of all, I'm assuming that you intend to read and write this private storage directly from a client app.
If you're using Firebase Authentication to sign in the user on the client, you can use either Firebase Realtime Database or Firestore to store per-user private information. These products do not have an internal sense of dedicated storage for users. What you will have to do is assign that space on your own (perhaps a "users" node in RTDB, or a collection in Firestore), and protect that space with the security rules provided by that database product. The security rules will determine who can read and write what data, based on their Auth identity.
Since you tagged this Firestore, I'll assume you intend to use that. You should read up on security rules to better understand how this works. If you are not using Firebase Auth for end user authentication, this will not be possible, however.
I have created an app, that allows users to create a simple photo collection. All the data is stored in the Firebase Cloud Firestore. The images are uploaded to Firebase Storage.
The owner of a collection can invite any other user to access his collection and upload photos.
The sharing of data in Firestore works fine. But now I have problems with writing the security rules for Storage. Does anyone know, how I have to write the rules, so that any user added to the collection can access the images as well? The files for each collection are stored in separate folders.
Firebase security rules currently do not bridge between products. You can't use data in Cloud Firestore in security rules for Cloud Storage. The only things you have access to in security rules for Cloud Storage are object metadata and Firebase Authentication custom claims per user. You will have to figure out a way to make changes to either one of those things to implement your permissions.
Alternatively, you can direct all access through Cloud Functions to decide if the user should be able to access the content, but bear in mind that Cloud Functions responses can only be 10MB maximum.
You should look into creating a private group and authenticate the group with help of private token.
https://firebase.google.com/docs/storage/security/user-security#group_private
I'm currently using Firebase for an online Android game in Kotlin (school project) to authenticate/register users. We're going to release our first version for testing, and I would like to set a limit of people that are able to sign up with Firebase (20 to be specific). Is this possible? Thank you in advance.
There is no way to limit the number of people that can sign in to Firebase Authentication. All authentication does is allowing you to say (and prove) that "I am Max", and there is no way to restrict in Firebase Authentication who can do that (beyond creating your own custom identity provider).
But you can limit what these users can do in the rest of your app. If you're for example using the Firebase Realtime Database or Cloud Firestore, you'd restrict the users who can access the database with their respective server-side security rules (Realtime Database, Cloud Firestore).
If you have your own backend servers, you'll want to pass the ID token from the user to that server, and verify the token there to allow who can access what resources.