I need to access an image in my Firebase storage without exposing the URL or being only accessed on my website.
The problem is that the image is the background of my website and I can't use Auth to secure it.
I can't afford to repeatedly being accessed by someone and ended up billing me.
I've tried gsReference but when getting the image it uses gsReference.getDownloadURL() and puts it in the CSS file and if I inspect and copy-paste the URL in another tab, it can read the image.
If you generate a download URL for a file in Cloud Storage, it will be accessible by anyone with that URL from anywhere on the internet.
If you need to control access to a file in Cloud Storage, don't use download URLs. Instead, use Firebase Authentication along with the Cloud Storage for Firebase SDK to download files that are protected by security rules that allow access for a given user who is logged in. This is the only way to limit downloads.
Related
How can I authorise my app to be able to access images in my firebase storage without the user having to sign in?
Should I just remove all read protections in the security rules for images, or is there a better way to do this altogether?
For context this is so that the app can load images on the home page that have been uploaded by other users for non authorised users to browse. Like the airbnb homepage for example.
Or is there some way to authorise my app on its own? Thanks in advance!
If you want to provide public access to files stored in Firebase Storage to a web applications, you can request a download URL for each file. Download URLs are fully public until you choose to revoke their access token. No SDK is needed to access these files - the URL is all you need.
I need to share to the employee tons of files of a specific Team Drive through our ERP. Since the files should be downloadable and I cannot redirect the users to the Drive page I need to download these files from the Drive by the API and show them to download on the ERP.
The point is that I cannot found a way to allow the Drive API through Browser connect to a single drive account with OAuth and allow every user on the App get the files on the view. All the ways I found request the current user an access to its own drive and it isn't what I want.
I found a way to do this with NodeJS API (without browser), but this will need too much data to transfer from the back to the front and it dont seems to much smart since (I believe) I can download directly from the Drive to the Client without need to pass by my server, but I can't found a way to do this.
What I really searching for is a way to allow a specific domain to aways access a specific user Google Drive with certains credentials and, knowing this, dont request to every user using the app authorization to its own drive.
I'm trying to change my Tamper/Grease monkey userscript to pull updates from GCS. While this is usually trivial if the storage is public, the file URL requires verification that the user is a member from our domain. There in lies the problem.
If the URL is accessed via the browser, it bounces around some redirects for Google Auth, and eventually retrieves the file and will "remember the login" for some time. This is a manual intervention process and is not a transparent solution.
If I pull the file when auth isn't known (ie: new browser), I get a 302 redirect, which when run under the userscript scope in TamperMonkey is simply treated as an error, and not followed (This is part of the RFQ from memory).
Now, if I use the script to push the URL as a link in the page, the link works (domain auth already in use to access the page). If I use the script to access the link, the tokens aren't available (guess?), and so a 302 takes place, and because it's in script land, it silently fails.
I'm looking to find out what JS I need to import, to pull any required auth tokens that the user already has, and send them along with the request to the GCS location. Note that Google Auth is required to be using the underlying website, and usernames will be on the required domain.
The GCS file has Domain:Reader permissions set with our domain listed.
I'm new to webdev so forgive me if this is an obvious one, but I can't wrap my head around a solution.
I'm currently hosting a static website on AWS S3. The login page is available for public access, but all other pages are only available to a specific IAM role that an authorized user will assume. Once a user enters their login credentials they will receive temporary AWS credentials that grant them access to restricted pages.
My question is: how do I programmatically load a restricted webpage? Normally I would do something like:
$('body').load(/path/to/index.html);
But the /path/to/index.html is only accessible to users with the IAM role. So do I need to use the S3 sdk to access that file? In my head I would need to do something like:
$('body').load(s3.getObject(/path/to/index.html));
But that wouldn't actually work.
Thanks for the help!
Do not put the page (HTML) itself as secret. Instead, put your essential data into a json file, and do a XHR to it.
Using a frontend framework with router, you can check if the user is authenticated and render a 403 if not.
The method depends on your framework, and I'm not going to describe it. You can use AWS SDK to fetch from S3 with authentication.
Im working on an web application using the MEAN Framework, within that app I want to give the users the ability to upload files.
Now heres the main thing:
All users uploaded files should be uploaded to a SINGLE dropbox account (my account)
They will only upload files of with the max size of 20MB (I've already built the functionality to check the file size before upload)
What I've done:
Ive gone to a Dropbox developers and I have setup my app. And now I have access to my appKey, appSecret and also a Access Token
My questions:
Is it possible for me to connect a single dropbox account (my
account) to my app and give users in my app access to upload/download files from the dropbox but by using my apps interface?
As I already have the access token would I or every user in my app still need to go through
the OAUTH process?
Can I just send my Access Token with each request to Dropbox api every
time a user uploads a file through a specific form on my app?
If you can provide an example or a link that would be very helpful.
UPDATE:
I generated my token using the following button on the dropbox developers console:
Assumption: it is supposed the user of your apps are "legit" and that they won't do anything of your dropbox files that should concern you.
Yes, it is. You can configure your app to be the consumer of your dropbox; of course, your app will also have to make sure the users of the app are legit (check them with user/password login and so on) --note: consequences can be that any unauthorised person able to use your app can delete permanently all your files (or do anything as bad as possible according to the privileges)
The access token is part of OAuth, so I am not sure what you mean when you say "process". I will interprete your question as "how do I refresh my token?". Simply, before every call to dropbox API by your app, you check the expiration of your access token: if it is still valid you just perform the call, otherwise you request a new token. You do not need a Refresh token in this case: the OAuth mechanism (or 'grant flow' as per OAuth jargon, or 'process' to use your word) you are using is called "client credentials grant flow"
See above 2)
Some links for you: Here some overview of the grant flows.
Here a schema of that grant flow (note: MS uses another component called "ActiveDirectory" to grant permission; in your case, both "Azure AD" and "Resource API" are just "the dropbox server")