This question already has an answer here:
Firebase Storage getDownloadUrl's token validity
(1 answer)
Closed 4 years ago.
I'm developing a Flutter app and I don't know which is the best way to store and retrieve an image from Firebase Storage.
For example, I'm implementing a show profile picture feature:
CircleAvatar(backgroundImage: NetworkImage(profilePictureUrl))
I get profilePictureUrl from my database. I can save its value on database in two way: saving its firebase download url, or saving its firebase path.
Case 1: saving firebase download url
With getDownloadUrl I get this kind of url:
https://firebasestorage.googleapis.com/v0/b/{project}/o/{path}?alt=media&token={token}
If I save it on my database I would persist an Url with a token inside. Do you think that this token will expire sooner or later?
Case 2: saving firebase image path
If I save the image path on my database than I have the overhead of calling getDownloadUrl before any image access, for example:
Firebase Storage path value: images/users/{userId}/profile
Future<String> getProfilePictureUrl(String path) async {
var ref = _firebaseStorage.ref().child(path);
String url = (await ref.getDownloadURL()).toString();
return url.toString();
}
Dilemma
What is the best practice to handle the images upload and download with Firebase storage?
Thank you.
Case 1 - The download URL will remain valid until you manually revoke it in the console; i.e. it doesn't just expire. See Revoking Firebase storage download urls. The URL is considered 'unguessable'. Revocation exists so that you can change it if it ever became compromised.
Case 2 - You will receive the same URL every time (the same one which you can inspect in the Console) - unless, of course, someone has manually revoked it in the console and created a new one.
Related
How can I retrieve Firebase storage image in flutter without getting downloadUrl and display it within some image compatible widget. I don't want my users to anyhow see download url even if they open my code
If you're using the FlutterFire Storage library in your app, you can call getData on a reference to the file to get its data. So with that you just need to know the path to the data, and you won't need the download URL in your application. Once you have the data locally, you can create an image out of it with: Converting a byte array to image in Flutter?
Unlike download URLs, the call to getData() is checked by security rules, so you'll have to ensure that the user is permitted to access the file.
I am using Firebase storage and firestore with flutter,
I came across two options to retrieve Firebase storage image
Setting Firebase storage image url in firestore database and then fetching it with network image
Getting image url from Firebase storage directly
I don't know much about tokens.
My security rules states that only auth users can read my Firebase storage but if I use first option my image url with token is stored in my firestore database using that url anyone can access my storage. I am not sure does Firebase refresh it's storage token automatically then if this is the case my app will experience crash.
Which is the most secure and long lasting way or please answer if any other secure way to fetch images
Firebase storage tokens won't expire unless you revoke them. The token may update if you overwrite the image i.e. update it. Now that's totally your call if you would like to make a separate request just to get the download URL or store the URL in realtime database when an image is uploaded and fetch it along with other data.
Security rules of Firebase Storage will prevent non-authenticated users from getting the download URL only. If an authenticated user shares the URL with anyone, they will be able to see the image as they have the URL with that random token now.
If the data you are fetching from realtime database requires the user to be logged in at first place, then I'd just store the URL in the database itself as I don't think it makes sense to make another request and have the same rules for Firebase storage. I don't know your exact use case so there may be exceptions for doing this.
If you don't need that image URL always then that might be waste of bandwidth, then you should consider making separate request to get the storage URLs.
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read, write: if request.auth != null;
}
}
}
These rules will allow any authenticated user to request the URL. But as I mentioned earlier, anyone with this link can access the file.
I need to store profile images, and in order to fetch the right profile image I'm using the userid as the filename. However, each upload I want to save it as the same filename.
I've followed the answer on https://stackoverflow.com/a/61129057/1012500 and I'm able to access the file publicly without signing in. However, my uploads still contain a access token.
I'm uploading it using flutter. Is there anything else I need to do so that I don't use the token to get the latest version of the file ?
I am trying to build a Firebase admin utility that I can use to upload files to Firebase Storage and then return a long lived URL that I can store in the Firebase Realtime DB to access this file.
I believe I can do this in the Firebase Console by going to my project's console, clicking Storage on the left, clicking Upload File. Once the file is uploaded, I can get a URL by selecting the file in the list to open the right information pane, and then expanding the File Location section.
In that section there is a Download URL which appears to be a long lived but revocable URL containing a token of some type. Is this URL safe to store in a DB for long term storage? It does appear to be the same URL that is returned from the file upload api, which another Google Codelab (for Flutter) showed being stored in the realtime database.
However, I cannot figure out how to generate that type of URL from the Firebase Storage Management API. I am using NodeJS, but it should apply to all versions of the API AFAIK. I can only find a getSignedUrl call which does not seem to return the same URL, and appears to be time limited and containing a link to the service account...not what I want to store in a database.
let bucket = admin.storage().bucket();
bucket.upload('innovation3.jpeg', {destination: 'image_assets/innovation3.jpeg'},
function(err, file) {
file.getSignedUrl({action: 'read'},
function(err, url) {
console.log('Url: ' + url);
})
});
Is it possible to get this URL from the Management API, or do I need to use some other method. What is recommended?
Signed URLs created with the Firebase Admin SDK (backed by the the Cloud Storage SDK) are different from Download URLs created by the Firebase client SDKs. They serve the same general purpose, but you can expect them to look different from each other. They are both safe to store long term, except you should know that Signed URLs have an expiration date, which are you not specifying in your call. In that case, I don't know what the effective expiration is going to be.
Each invocation of getSignedUrl will generate a new URL. There is not just one that's unique to the file.
I have question regarding the logic for implementing a profile image uploader and storing the image url in a database under the user uploading the image using react-native and firebase authentication, cloud functions, database and storage services.
An example of the way the imageUrl would be stored
{
“users”: {
“7ad9310fsasghsa72”: {
imageUrl: ‘imageHoster.com’
},
“4k2dH5lifs35kfsp0”: {
imageUrl: ‘imageHoster.com’
},
}
}
The question is, is the logic below a correct utilisation of firebase services in relation to implementing this feature or is there a better way?
User uploads image on mobile device through react-native
Image gets sent to a firebase cloud function, for validating it, reducing it to 150x150
Image gets stored in google cloud storage
URL returned from the stored image is stored in firebase database under the user who is uploading the image
Also using this firebase implementation what is the way for authenticating the user making the request inside of the cloud function so that I’m able to store the url of the image returned from storage service under that user in the database?
Thanks
You can check out the following link for callable cloud functions
Call functions from your app
With callables, Firebase Authentication and FCM tokens, when available, are automatically included in requests.
Your can use the auth data inside the request parameter to keep track of whose data is contained in the request.
Storing the image url string inside the database is the way to go if you would like to keep track of the user's profile photo. It is also the recommended way of building your app.
Cheers,if you get stuck,the community here will help.
Happy coding!