I am building a small web app using Firebase.
There is the steps :
The User connect (Firebase authentication)
The user upload an image (Firebase storage)
The user can download or see his images
<img [src]="imageFromFirebase">
The url given by firebase looks like :
https://firebasestorage.googleapis.com/v0/b/<Your API>/o/userData_YOQioOsgzUP0B0fTAa6BVK5KOxo2%2Fimages%2F-L-w7THGfT6qmX9UhLsK3.png?alt=media&token=61f6edf9-188e-4177-9ee2-34635ebc5a4a
With this URL, I can display the image on the browser only if the user is conneted.
The real problem is that I copied this URL and past it in another web browser (without being authenticated)
And SURPRISE !! this image is displayed !
I don't understand why the image is displayed ?
It is normal ?
Thank you !
When you generate a download URL for a file in Cloud Storage for Firebase, anyone who has the URL will be able to download its contents. This is by design. The URL is "unguessable", so only people who actually have the URL will be able to see the content.
If you don't want people to see that file, then don't share the URL. If the URL is accidentally shared to others who shouldn't have access, you can revoke the token that allows everyone to see the content.
As I know, the right way for storing then retrieving file is that you upload file to a path (folder/filename), store that path (a field in post for example) then when you want to show it, pass the stored path to the getDownloadURL function, it will return a full url that can be use as src attribute for img tag
Related
I’m using Firebase dynamic Link in my app to share information between users ( like post id )
the URL with post id is something like : https://myapp.web.app/opkzpeokzkpk12pokfze
the generated short dynamic link is : https://myapp.page.link/abcd
everything work fine, when user click on the dynamic link we are able to decode the postId
Now I’m receiving this email from google :
We’re writing to let you know that your Firebase Dynamic Links (FDL) project(s) do not have configuration to prevent phishing. Please specify the allowed URLs that Dynamic Links in your projects can redirect to.
Specifying a URL allowlist prevents third parties from using your API key to create Dynamic Links that redirect from your FDL domain to sites not on the allowlist.
can I use this ?
Allowed domain : myapp.web.app
Regular expression preview : ^https{0,1}:\/\/myapp.web\.app([\/#\?].*){0,1}$
my app is used on production and I’m not sure about this change ?
can someone suggest if this URL is correct or which URLs can use ?
I have successfully created a dynamic link via Firebase using their API as listed here: https://firebase.google.com/docs/dynamic-links/rest#creating-a-short-dynamic-link. I was wondering what the lifespan of one these "generated-on-the-fly" dynamic links were?
Dynamic Links have no time-to-live, and don't expire.
You can archive a link from the Firebase console, but that merely hides it and doesn't expire the existing link.
This reads like a XY problem though. Since dynamic links carry no authentication/authorization information, they are valid indefinitely. If any authentication is required to see the contents that the link target, you'd implement that in your app after requiring the user to authentication/authorize after the link is resolved.
If the link target has become invalid in your app, you'll want to set up a redirect in your app - so that users who have the old link end up in a useful location too. This is essentially the same that you'd do with links on a web site: instead of letting the web server show a 404 page, it's better to set up redirects to the new location of the relevant content.
I've read the documentation and I just don't get the fundamental concept about how to access files.
I want to use Firebase Storage in a web app. I have pre-uploaded images that should be accessible to the public. I see that when you upload from the Firebase Console, you get a link to that asset. I see that the token is in the URL and that you can revoke this token, (See screenshot)
So... is that url with the token supposed to be secret? It would be bad to use that link in public html, right?
If so, how can I generate a public link that I could use in an <img src="link-here.com" /> ?
is that url with the token supposed to be secret?
It's a secret that gets shared with everyone who should be able to access the object.
It would be bad to use that link in public html, right?
Only if that would expose access to those who should not be able to download the object.
how can I generate a public link that I could use in an ?
Follow the instructions in the documentation for downloading data via URL. You will use getDownloadURL() to asynchronously get a URL that has the token embedded in it.
When using Firebase Storage with the Javascript SDK is there a way to only let users who pass the read permissions view an image. The issue I'm running into is once I get a storage reference the only way to view the image in a browser is via the download url, which has no permissions attached to it. What I am wanting is a URL only accessible by users who pass the read permissions. Is there a way to do this currently?
Edit 1:
Currently, I am getting the url like this:
const firebaseUrl = 'gs://bucket/object';
const storageRef = firebase.storage().ref();
storageRef.child(firebaseUrl).getDownloadURL()
.then(url => console.log(url))
.catch(err => console.log(err));
And am putting the download url in the img src.
<img src="url generated from above code" />
How can I have the image display only if an authenticated firebase user with permissions is viewing it? If the url is viewed in an incognito window it will return a 403 or something.
No, download URLs are always universally accessible until its token is revoked. This behavior can't be changed. If you need to apply security rules to a file, you have to use the SDK to download the content, since the SDK is aware of the user signed in through Firebase Authentication.
I am creating a dashboard which uses a few iframes to bring in Solarwinds data. The problem righ now is that, everytime I load the iframe I have to type in the username and password and manually login.
Is there a way to do this by passing userid and password into the URL. The URL that my iframe calls to load the Solarwinds data is:
"http://myserver/Orion/DetachResource.aspx?ResourceID=XXXX&NetObject="
Note: xxxx = a 4 digit Resource ID
Yes, this is possible, but it will expose the password to anyone who views your dashboard since it will be right there in the source code as well as anyone watching network traffic or able to poke around the browser cache. If this is not something you are concerned about in your environment, you can include the credentials in the URL with the AccountID and Password query string parameters. Like this:
http://myserver/Orion/DetachResource.aspx?ResourceID=XXXX&NetObject=&AccountID=guest&Password=NotASecretAnymore