I have a Firebase project where authenticated users can upload photos to storage bucket. I have my Google Cloud CDN setup properly to the storage bucket. Obviously the bucket contents are available to the world now. How may I use Firebase authentication with Google Cloud CDN?
You cannot directly protect Cloud CDN content with Firebase Authentication, but you can prevent content served by Cloud CDN from being accessed publicly.
Signed URLs can be used to generate per-user, time-limited URLs that will only serve the content to that given user. Your application backend can sign and then issue these signed URLs.
Users trying to access content without a Signed URL will receive a HTTP 403 unauthorized.
Related
Is there any possibility to restrict the firebase storage URLs to access from a specific domain.
I have tried downloadURL() and signedURL() but both are publicly accessible.
I know that using firebase in a web app requires putting some public config keys in the front end code and that its safe to do so. But I am confused about how firebase would prevent malicious people from just copying those config keys and pasting them in their own sites and initializing the firebase analytics sdk there to try to spoil my analytics data.
In firebase auth, we also give some whitelisted domains and authentication services are only allowed on those domains by firebase. So even if we try to access those auth services from another domain, firebase won't allow it.
So how will firebase differentiate in case of analytics? If the same config keys are put in webpages on two sites abc.com and xyz.com and abc.com is my actual site whose traffic is supposed to be tracked, how will firebase know and discard data from the bad website xyz.com if the person who created xyz just copied my config from my front end code and initialized firebase.analytics() on their site to spoil my analytics?
I've developed an website in Flutter that I've deployed on Firebase. What I want to achieve is to redirect the user of an app to this website using an URL that also contains an JWT token because there will be some authenticated requests to be done on the website - but the website doesn't have any login page.
Is it possible to retrieve that token in order to be used in the code of the website?
If you're using Firebase Hosting, all traffic between the client and server goes over an SSL-encrypted connection, so the data can only be seen by the sender and received (unless your certificate chain is compromised).
If you pass the token in the URL, anyone can see it, as the URL is not encrypted. So you'll want to send the token in (for example) a header, such as the pre-defined Authorization header of HTTP. This is actually what the Firebase JavaScript SDKs themselves do to pass authentication information to the Firebase server.s
I have a service API running behind Firebase Hosting Rewrite Rule that will benefit from CDN caching as its API response rarely changes, but it will need to be protected from the public. Currently, the server is doing auth check for every request coming in using Firebase Auth's verifyIdtoken to see if it should accept incoming request or not.
I was wondering if Firebase Hosting's global CDN supports any kinds of authentication, such that auth check can be done at CDN level. Something similar to GCP Endpoint Auth, or but tailored for Firebase.
As a mitigation for now, the server is setting cache related HTTP headers for requestors to cache the response, however, this is per-user cache, and every new user's request will continue to reach the server.
All files on Firebase Hosting are accessible by anyone who knows their URL, so should only be used for hosting public files. There is no security mechanism in place.
I have a mobile app (Android/iOS) that uses the Firebase SDK for several Firebase services (including Authentication and Storage).
Now there's a subsystem within the app that can't directly access the Firebase SDK, but I need to upload files to Storage from this subsystem. HTTP(S) requests are possible, so I tried to use the Storage JSON API for uploading.
However, an OAuth 2.0 token is required for authorizing requests via the JSON API. Is there a simple way to receive such a token, when there's already a signed-in user in the Firebase SDK? It seems the only thing I get from the Firebase SDK is the "Firebase ID token" (JWT token), but I don't know how to convert it (or if this is even possible) to an accepted OAuth token for the JSON API.
I think you're trying to do the petition from the plugin itself and it might not have the permissions.
Did you pass it to sign In With Custom Token to the SDK when your users sing-in?
I read that after that, a Custom Token and credentials are attached to the user's profile.
Why don't you try to do the petition from the user's profile instead of doing it from the plugin?