download from Firebase storage using qr codes - firebase

Haven't started development yet, but I just want to ask if there would be some security issues if I created a qr code that will directly download something from the firebase storage, will there be some authorization stuff needed? still choosing wether to store it from google drive or firebase storage(payment capacity reasons)

If you encode the download URL from Firebase Storage into the QR code, then anyone with the QR code can read the file. That is because the download URLs from Firebase Storage are publicly readable, but unguessable.
If you instead encode the path to the file into the QR code, then that file can only be access by a user that is signed in to Firebase and for whom the security rules you have configured allow read access to the file.
From what you described you're looking to use the first option with download URLs. It's hard to say what security issue you're asking about, but just be aware that in that case anyone with the QR code will know the download URL, and can thus read the file (or share that URL with others, so that they too can read the file). If that is not what you want, you'll need a more advanced scheme, which typically starts with being able to identify your users.

Related

R/googlesheets4 non-interactive session

When I use googlesheets4 in R, I use sheets_auth() in the console and it works fine. But when I try to run it in R markdown, and when I try to knit, I cannot seem to get the credentials. Can someone walk me through the process? I've gone to the vignettes for googlesheets4 but cannot seem to understand it.
This is working for me
gs4_auth(path = "xxxxxxxxxxxxxxxx.json")
It doesn't return anything, but after that I'm able to write data in my sheet with sheet_write()
To get the credentials in a json file you have to follow these steps:
From the Developers Console, in the target GCP Project, go to IAM & Admin > Service accounts.
Give it a decent name and description.
For example, the service account used to create the googledrive docs has name “googledrive-docs” and description “Used when generating
googledrive documentation”.
Service account permissions. Whether you need to do anything here depends on the API(s) you are targetting. You can also modify roles
later and iteratively sort this out.
For example, the service account used to create the googledrive docs does not have any explicit roles.
The service account used to test bigrquery has roles BigQuery Admin and Storage Admin.
Grant users access to this service account? So far, I have not done this, so feel free to do nothing here. Or if you know this is useful
to you, then by all means do so.
Do Create key and download as JSON. This file is what we mean when we talk about a “service account token” in the documentation of gargle
and packages that use gargle. gargle::credentials_service_account()
expects the path to this file.
Appreciate that this JSON file holds sensitive information. Treat it like a username & password combo! This file holds credentials that
potentially have a lot of power and that don’t expire.
Consider storing this file in such a way that it will be automatically discovered by the Application Default Credentials search
strategy. See credentials_app_default() for details.
You will notice the downloaded JSON file has an awful name, so sometimes I create a symlink that uses the service account’s name, to
make it easier to tell what this file is.
Remember to grant this service account the necessary permissions on any resources you plan to access, e.g., read or write permission on a
specific Google Sheet. The service account has no formal relationship
to you as a Google user and won’t automatically inherit permissions.
(copied from here https://gargle.r-lib.org/articles/get-api-credentials.html#service-account-token)

Firebase Storage URL format instead of using References

I wanted to know how long lived the firebase storage URL's are.
I'm using firebase storage to host some static images. Currently using the file references to get the url's in app.
But would like to skip this step and just use the URL's instead. Does anyone know what if anything will cause first part of the URL to change?
(https://firebasestorage.googleapis.com/v0/b/)
Total URL
https://firebasestorage.googleapis.com/v0/b/{Project_ID}.appspot.com/o/{FILE_PATH}?alt=media&token={TOKEN}
The first part of the URL (https://firebasestorage.googleapis.com/v0/b/) will only change if the Firebase Storage API ever changes. Since this hasn't happened since its release in May 2016, and isn't planned to happen at any point at the moment, we can be certain it is a really infrequent occurrence.
The {Project_ID}.appspot.com/o/ will only change if you have a different project. For an existing project this will never change.
The {FILE_PATH} is the path to your file, so will only be different when referring to a different file.
And token={TOKEN} will only stop working if you revoke the token, as answer here: Firebase Storage getDownloadUrl's token validity
A download URL will last forever, or until its specific token is rejected from the Firebase console.

What Firebase Storage reference should be saved to RTDB/Firestore?

I'm trying to determine the best way to reference a Firebase Storage (Google Cloud Storage) file in a direct-read database like Realtime Database or Cloud Firestore. Since a read operation to this database does not benefit from a backend that can issue tokens and cache image URLs, it is not clear to me what the most performant way is to store these references.
I have come up with a few options and none of them are a clear winner.
Store a path like /images/foo.jpg to the database, and use Storage Client SDK to generate a tokenized path with storage.bucket().getDownloadURL("/images/foo.jpg").
Pros: Secure & simple.
Cons: Network call for every single image you want to display hurts performance considerably.
Store a tokenized path like https://firebasestorage.googleapis.com/v0/b/storage-bucket-823743.appspot.com/o/images%2Ffoo.jpg?alt=media&token=c6da1e33-f3ff-41e2-a6f0-bdb475a2f6d9 with a super long TTL.
Pros: No extra fetch on the client.
Cons: long string stored in expensive RTDB. What if that token is revoked by mistake? The database is now broken.
Store a path like /images/foo.jpg to the Database and use public storage rules. Reconstruct into a custom static URL like https://firebasestorage.googleapis.com/v0/b/storage-bucket-823743.appspot.com/o/images%2Ffoo.jpg?alt=media
Pros: Tiny database use, no extra client fetch, explicit public access, no token to lose.
Cons: URL encoding is super flaky, Storage could change their URL format and we'd be out of luck.
So, those are the options I've come up with, and there may be more. Any suggestions for how to solve this issue? The issue is unique because the Firebase databases don't have the benefit of a custom server to handle a token/caching layer to resolve this problem.
There is no single "best way" to store these paths. It all depends on your use-case, your preferences, and the context in which you're implementing it.
I typically use :
If I need access to the files to be secured, I store the image path (like in your #1), and then use the Firebase SDK to access the file.
If I don't need access to the files to be secured, I store the image path and the download URL. This way I can find the image easily based on the path, and use the download URL in non-secured clients.
The con's you mention for these are simply not affecting me. I'd recommend you take a similar approach, and report back when the problem actually occurs.

How to hide the Firebase Storage download URL from the network tab of browsers?

I'm leveraging Firebase Authentication for downloading images from firebase storage. I'm also leveraging google API HTTP referrers for blockage by domain so that my image from firebase storage is only accessed from my website. But when I go to the network tab of my browser I can see the download URL of the image. By this, anyone can download my image and use it. What should I do so that my images are secured?
P.S: I'm using the firebase storage SDK and by following the documentation when I execute this code below
storageRef.child('images/stars.jpg').getDownloadURL().then(function(url) {
// `url` is the download URL for 'images/stars.jpg'
var img = document.getElementById('myimg');
img.src = url;
}).catch(function(error) {
// Handle any errors
});
I can see the download URL in the network tab of my browser.
You can't. When you give up access to a Cloud Storage download URL to any one, in any way, you are implicitly trusting that user to its access. They are free to share it with anyone they want. If you don't trust that user, then don't give them the URL.
If you don't like the way this works, then don't use download URLs, and allow only secure downloads via the Firebase SDK. At that point, you are trusting the user they will not take the content and upload it elsewhere and generate a URL to it.
You seem to have two options as far as I can tell. Unfortunately, they are basically one in the same effectively as you will probably have to implement both.
The first option is to revoke the access token on individual files you don't want to be allowed to download. Unfortunately, this also means that you can't display them anywhere you currently do via the URL as it breaks that link. See this answer for why that is a pain to do.
The second option is to use storage references to download them client side, but this only works if you are using Firebase SDK's in a web app and not a simple static website. I think this shouldn't expose the URL on the network tab of the browser if the app is set up correctly.
You can implement the second option without the first and the URL shouldn't be exposed, but you can't use the url anymore and have to use both options if you implement the first one... :/ meh... firebase is great, but nothing is perfect
This seems to work, I'll update if it doesn't
Edit: "However, the CORS configuration applies only to XML API requests," which one can just go to the file still.. https://cloud.google.com/storage/docs/cross-origin
GCP console >_
pencil icon > create cors.json [{"origin":["https://yourorigin1.com"],"method":["GET"],"maxAgeSeconds":3600}]
go back to shell and enter gsutil cors set cors.json gs://yourproject1.appspot.com
https://stackoverflow.com/a/58613527/11711280
Workaround:
I will make all rules resource.data.authorId, resource.data.members, etc. I need to match the request.auth.uid (or control calls in client code to non-anonymous uid's), and sign-in every user anonymously, at first. Then, uid will not be null when using a firebase initialized from our domain

Firebase revoke token on download url

When I simple "took" a images on firebase console it create me automatically a download url like
https://firebasestorage.googleapis.com/XXX/YYY/XXX/name.jpg?alt=media&token=.
I wanna have my file super-secured, how I can remove this download url or revoke this token?
The Firebase console provides a "revoke" option next to the download URL which can be used for this (look under the "File Location" tab). You should use Firebase rules to properly secure your assets, if object-level security is important to you: https://firebase.google.com/docs/storage/security/
There's no way you can restrict that url (not even through security rules). It is always public but note that it is unguessable. There is also a revoke option through Firebase console just in case the URL leaks.
As pointed by others you don't need to be concerned about this URL as in practice is very hard to guess. However you should not share it or use it as entry point to the application. Instead you should use the Signed URLs support provided by Google Cloud.

Resources