Firebase Storage URL format instead of using References - firebase

I wanted to know how long lived the firebase storage URL's are.
I'm using firebase storage to host some static images. Currently using the file references to get the url's in app.
But would like to skip this step and just use the URL's instead. Does anyone know what if anything will cause first part of the URL to change?
(https://firebasestorage.googleapis.com/v0/b/)
Total URL
https://firebasestorage.googleapis.com/v0/b/{Project_ID}.appspot.com/o/{FILE_PATH}?alt=media&token={TOKEN}

The first part of the URL (https://firebasestorage.googleapis.com/v0/b/) will only change if the Firebase Storage API ever changes. Since this hasn't happened since its release in May 2016, and isn't planned to happen at any point at the moment, we can be certain it is a really infrequent occurrence.
The {Project_ID}.appspot.com/o/ will only change if you have a different project. For an existing project this will never change.
The {FILE_PATH} is the path to your file, so will only be different when referring to a different file.
And token={TOKEN} will only stop working if you revoke the token, as answer here: Firebase Storage getDownloadUrl's token validity

A download URL will last forever, or until its specific token is rejected from the Firebase console.

Related

Authentication between a display and firestore

Im developing a solution where I have data stored on firestore. On the other side I have react based website which reads this data.
Today I "authenticate" the solution in my test with in the backend a firebase config and that they enter a uniqID in the URL. So example: company.com/display/asdkjlasdjkl239023. I then do simple firestoreConnect where I add the ID as where clause. Right now my firestore rules are just open for all. But for production this dosen't seems so secure.
In theory I guess I would want some typ of authentication when the device first loads. Maybe a pin code would be good (email/password etc is to long). Then there would be a rule only allowing this connection to read what they are supposed to read nothing else.
Im trying to figure out how this could be solved but don't have any good idea. I figured somebody must have built something similar before :)
You can use Firebase Authentication phone Auth to verify a user based on their phone number, easier than email/password. You can even create your custom authentication inside Firebase Auth.
To secure your firestore or real time database, you need to use and understand Firebase Security Rules you can write security rules which will block the user from accessing other files that they aren't suppose to (which are ofc decided by you).

Is it safe to store only "folder-name/filename.jpg" information for files uploaded to Firebase storage?

Right now, everytime I upload an image file to firebase storage, I get an url that looks like this:
https://firebasestorage.googleapis.com/v0/b/my-project.appspot.com/o/some-folder%2Ffile_name.jpg?alt=media
And I'm storing the full URL in my Firestore docs for the object that uses that image.
If I know that it will never change, I could save just the last part: /some-folder%2Ffile_name.jpg?alt=media
But I don't know if the first part could change for future uploads.
Since I'll be rebuilding the full URL on client, if the first part do change for future downloads, it will break my code.
Should I stick to storing the full URL? Or is it safe to assume that the first part of the Firebase Storage API will always be the same?
Firebase gives no written guarantee that nothing will change for that URL. The only "safe" thing to do is store the entire URL. Or, store the path and call getDownloadUrl every time you want to manufacture a new URL.

Firebase Storage – getting static link based on filename

I have a situation where in Firebase Storage users store their avatar to /users/{uid}.jpg
If I then use the Storage API to get the download URL and display the image, it ends up being very slow to make the first request because the download URL is not cached anywhere.
So my solution is to get the DownloadURL when the user uploads the image and store that in Firebase allowing the client image provider to automatically cache the image which speeds up loads considerably.
However, there is one problem with this solution.
If a user replaces their avatar, the old link becomes broken instead of updated. I believe this is because a new token is generated each time something is uploaded for security reasons but these are of no benefit to me.
So my question is twofold:
1) How can I allow a user to upload an avatar to a path that is dedicated to them such as /users/{uid}.jpg, get a bare download URL that can be cached by the client, and have that URL remain the same even when the file changes at /users/{uid}.jpg
2) If this is not possible, what is the normal way to solve this issue?
Download URLs are opaque. The contents of the actual URL itself is an implementation detail of the system, and it's not supported to dig around in its contents. The URLs can't be dissected or composed.
You can use a storage trigger with Cloud Functions to automatically generate a signed URL whenever something changes in your storage bucket.
So instead of serving from a hard-coded URL, simply retrieve the URL from an updated value in the datastore (or any data storage system). Every time the user updates the avatar, simply store the new URL in the datastore and you can query for it when you need it.

Firebase revoke token on download url

When I simple "took" a images on firebase console it create me automatically a download url like
https://firebasestorage.googleapis.com/XXX/YYY/XXX/name.jpg?alt=media&token=.
I wanna have my file super-secured, how I can remove this download url or revoke this token?
The Firebase console provides a "revoke" option next to the download URL which can be used for this (look under the "File Location" tab). You should use Firebase rules to properly secure your assets, if object-level security is important to you: https://firebase.google.com/docs/storage/security/
There's no way you can restrict that url (not even through security rules). It is always public but note that it is unguessable. There is also a revoke option through Firebase console just in case the URL leaks.
As pointed by others you don't need to be concerned about this URL as in practice is very hard to guess. However you should not share it or use it as entry point to the application. Instead you should use the Signed URLs support provided by Google Cloud.

Firebase Redundancy/Failover - How does it work

I'm curious how redundant Firebase is? When I write database to Firebase is it automatically replicated to multiple data centers/servers?
I noticed if I go to http://status.firebase.com/, there is a list of servers (?) called s-dal5-nss-XX. Not sure what these exactly mean or how to find out which one of these your application resides on.
More information would be great!
Thank you!
how to find out which one of these your application resides on
From a discussion on the Firebase mailing list:
You can monitor https://.firebaseio.com/.settings/owner.json to find out what server is currently handling requests for your Firebase app. Note that whilst this is a method of getting the current hostname your Firebase is under, Firebase apps are not guaranteed to stay on the same server - configurations can (and do) change as we add or remove servers from rotation or load balance as necessary.

Resources