Hiding API Key on Xively Image - xively

I'm interested in using Xively's image embed code in a website I'm working on, but I need to either:
Make the Xively feed public in order to access the image
Include the API key in the get request
Now I do not want to expose our private information or open up the datastreams to being modified without my permission using my API key, what options do we have? In other words, how can I conceal the API key in the image URL that your can easily find by viewing the source? I'm not particularly keen on saving the image locally, renaming it, and then serving it from our server with a different name.

Xively API keys have very fine-grain permissions. You probably want to generate a key that has:
read-only access to just that specific feed
referrer set to the domain of your website
You will find an "Add Key" button on your develop workbench, see screenshot below.
This should protect your data, but still keep your device's feed private.

Related

How to hide Google Storage bucket path and image name from URL

I'm using Google Storage to store profile pictures of my users. I have couple of thousands pictures.
Now the pictures are being saved in a bucket like so:
data/images/profiles/USER_ID.jpg
So the URL to an image:
https://storage.cloud.google.com/data/images/profiles/USER_ID.jpg
I don't want users being able to see someone else picture by just knowing their USER_ID, and still, It has to be the USER_ID for easier search from a developer's side.
I can't use Signed URL as my users do not have a google account, and the pictures from the storage are fetched from a Mobile Application.
Is there a way to keep the file names as they are in the storage, but simple hide the path+filename from the URL?
https://storage.cloud.google.com/fc720d5c05411b03e5e2a6692f8d7d61.jpg -> points to https://storage.cloud.google.com/data/images/profiles/USER_ID.jpg
Thank You
You have several options. Here are a few:
Have users request the URL for another user from the server, then have the server decide whether or not the user is allowed to see the image. If so, have the server (which does have a service account) generate a signed URL and pass it back to the user (or redirect to it). This way, although the user may know the user ID of another user and the URL of their image, they still can't see the image unless the server agrees that this is okay.
Use Firebase Storage to manage the images, which will still store them in GCS but will give you Firebase's auth support.
Proxy the images through your app, either an app engine app or something running in GCE or GKE. This lets you hide everything about the source of the image, including the user ID, but has the downside of requiring all of the data to pass through your service.
Reexamine your requirements. "Easier search on the developer's side" may not be as important as you think, and you need to way the benefit of that vs the cost of working around it.
Another option is Google Images API available on AppEngine. You can link your Cloud Storage objects with Google Images API and use benefits of this API - secure URLs, transform and resize images using URL parameters.
You only need to prepare servingURL for every image stored in GCS and persist this serving URL (for example in Google Datastore)
ImagesService imagesService = ImagesServiceFactory.getImagesService();
ServingUrlOptions suo = ServingUrlOptions.Builder
.withGoogleStorageFileName(gcsImageObjectPath)
.secureUrl(true);
String servingUrl = imagesService.getServingUrl(suo);

How to hide the Firebase Storage download URL from the network tab of browsers?

I'm leveraging Firebase Authentication for downloading images from firebase storage. I'm also leveraging google API HTTP referrers for blockage by domain so that my image from firebase storage is only accessed from my website. But when I go to the network tab of my browser I can see the download URL of the image. By this, anyone can download my image and use it. What should I do so that my images are secured?
P.S: I'm using the firebase storage SDK and by following the documentation when I execute this code below
storageRef.child('images/stars.jpg').getDownloadURL().then(function(url) {
// `url` is the download URL for 'images/stars.jpg'
var img = document.getElementById('myimg');
img.src = url;
}).catch(function(error) {
// Handle any errors
});
I can see the download URL in the network tab of my browser.
You can't. When you give up access to a Cloud Storage download URL to any one, in any way, you are implicitly trusting that user to its access. They are free to share it with anyone they want. If you don't trust that user, then don't give them the URL.
If you don't like the way this works, then don't use download URLs, and allow only secure downloads via the Firebase SDK. At that point, you are trusting the user they will not take the content and upload it elsewhere and generate a URL to it.
You seem to have two options as far as I can tell. Unfortunately, they are basically one in the same effectively as you will probably have to implement both.
The first option is to revoke the access token on individual files you don't want to be allowed to download. Unfortunately, this also means that you can't display them anywhere you currently do via the URL as it breaks that link. See this answer for why that is a pain to do.
The second option is to use storage references to download them client side, but this only works if you are using Firebase SDK's in a web app and not a simple static website. I think this shouldn't expose the URL on the network tab of the browser if the app is set up correctly.
You can implement the second option without the first and the URL shouldn't be exposed, but you can't use the url anymore and have to use both options if you implement the first one... :/ meh... firebase is great, but nothing is perfect
This seems to work, I'll update if it doesn't
Edit: "However, the CORS configuration applies only to XML API requests," which one can just go to the file still.. https://cloud.google.com/storage/docs/cross-origin
GCP console >_
pencil icon > create cors.json [{"origin":["https://yourorigin1.com"],"method":["GET"],"maxAgeSeconds":3600}]
go back to shell and enter gsutil cors set cors.json gs://yourproject1.appspot.com
https://stackoverflow.com/a/58613527/11711280
Workaround:
I will make all rules resource.data.authorId, resource.data.members, etc. I need to match the request.auth.uid (or control calls in client code to non-anonymous uid's), and sign-in every user anonymously, at first. Then, uid will not be null when using a firebase initialized from our domain

Accessing a WordPress Database from a mobile app

I have a WordPress website with custom tables that I store data into that was entered by customers. The site owner wants to develop a barcode app that can access this data. When I need the data from these fields to display within the site, I request it from a PHP script running on the server that make calls like get_post_meta().
The owner has hired a mobile app consultant who believes that, if he just has the password to the account where the site is hosted, he can access all of these database fields from the app.
I'm not seeing how this is possible. My understanding is that a mobile app can only access a site by making HTTP requests to it. It has no way of running on the server and executing things like get_post_meta().
Am I missing something?
Thanks
I think you are missing something. Wordpress now has a rest api https://developer.wordpress.org/rest-api/ that can allow a mobile application get at data in your database by making http requests.
The developer will need to be able to enable the Rest Api, but if you give her the password, she will probably be able to do so. Typically this is done using a plugin like: WP Rest API which enables a set of default endpoints which includes post meta data and allows you to add other endpoints
Depending on how the custom tables are set up, they might not be automatically available to the Rest API. However, if you are able to access them using get_post_meta() then I would expect that they would be accessible to the Rest API as well, most likely by adding endpoints.

PHPMotion implementation - URL based videos (Hosted on separate location)

I have to implement a video collection website for users of a specific ISP. The site will be hosted on a public web-server but all the movies will be hosted on local ISP server. The user of that ISP + general visitors can see the available movies; but only ISP's users will be able to play them.
The player on site will point to URL of a local machine (http://192.x.x.x/movies/mymovie.mov) this private class (192.x.x.x) will only be accessible to ISP user.
Question: Is it possible with PHPMotion script? or I need to do custom work.
If possible, can someone please suggest available MODs?
PHPmotion would require some modifications to be able to handle something like this. Uploading, conversion, thumbnail generation, and playback are all pretty static in PHPmotion.
Really though, rather than modding the entire upload and conversion process, if you created a quick custom form to add entries to the PHPmotion database (maybe include thumbnail upload), then tweaked the playback paths, you should be good to go on the PHPmotion side of things. This would assume that you already had your videos in a format that the player could handle (such as flv or mp4).

Image operations on remote server

I recently purchased a new domain for the sole purpose of hosting all the static content on a separate server and delegate CPU intensive operation like thumbnail creation on a different pool. Now I would like to do some operations on images uploaded to that remote server : creating thumbnails or updating the image if we need to. Should I download the images to my server, modify them there and then upload them back to the remote server or should I try to create web-services to manipulate the images?
One of my solution was to provide an interface to upload and manipulate the images in the new domain, by leaving the old domain when it comes time to work on images, but I find it kind of awkward.
I would like to keep the new domain cookie free. How would that affect my ability to restrict any random user to use the web-services if I decide to go that way?
Well you already have a server but this seems like it would have been a good oppurtunity to use google App Engine's image API. You could upload directly (I think size limit is 1 meg) and there are functions for resize, crop, etc.
http://code.google.com/appengine/docs/python/images/overview.html

Resources