Content owner only access in storage of firebase android Java - javascript

I am making a voice recording application in which the recording is saved in firebase storage in a folder named emailID (user email id when registered). I want that only the user can have access to that folder. Means that user can only open their own folder (matching name to their email). I want this feature to make my application more secure. I need the javascript code for the storage rules (according to my need) in firebase.
In this way, no one can get access to firebase storage until they log in, and after that, they can have access to their folder only.

It sounds like you're looking for this:
service firebase.storage {
match /b/{bucket}/o {
// Files look like: "Zrecorder/<email>/path/to/file.txt"
match /Zrecorder/{email}/{allPaths=**} {
allow read, write: if request.auth.token.email == email;
}
}
}
Also see:
The Firebase documentation on properties in the request variable

Related

Active Directory access Azure Storage from browser

I want to use Azure Active Directory to allow users to read and write to Azure storage (specifically all Blobs and Tables) from a single-page web app.
I started like this:
import { InteractiveBrowserCredential } from '#azure/identity';
import { TableClient, TableServiceClient } from '#azure/data-tables';
const credentials = new InteractiveBrowserCredential({
clientId: myAuthConfig.clientId,
tenantId: myAuthConfig.tenantId,
});
const client = new TableServiceClient(
`https://${myAuthConfig.storageAccountName}.table.core.windows.net`,
credentials
);
client.listTables().byPage().next().then(console.log);
This works totally fine! I can see all the tables on the account. But then I wanted to list some of the data in on of the tables. So I did:
const client = new TableClient(
`https://${myAuthConfig.storageAccountName}.table.core.windows.net`,
'<table name>',
credentials
);
client.listEntities().byPage().next().then(console.log);
But this gives an error:
{
"odata.error": {
"code":"AuthorizationPermissionMismatch",
"message": {
"lang":"en-US",
"value":"This request is not authorized to perform this operation using this permission.\nRequestId:<uuid>\nTime:2021-10-28T18:04:00.0737419Z"
}
}
}
I'm very confused by this error. As far as I can tell I've done everything right. I followed every tutorial. I've set up active directory permissions for my app to use the storage API, my Microsoft account has permission to access the tables, OCRS is enabled, etc.
I'm not sure why I would have access to see a table but not see what's in it. I tried to use InteractiveBrowserCredential.authenticate to explicitly set scopes like this:
const scopes = ["User.Read"]
credentials.authenticate(scopes).then(console.log);
It works fine for User.Read but I couldn't figure out what scopes corresponded to Storage read/write access. If I added a scopy like "Microsoft.Storage" it told me that it didn't exist
Has anyone got an error like this before? What am I supposed to do here?
Thank you #gaurav mantri ,Posting your suggestion in comment as an answer.
From error it looks like your service principal does not have access permission to your table storage data. You should either grant permission using a RBAC role on the storage account resource (add to storage account contributors or readers) as below. Or use Storage Explorer to grant permission.
In your storage account please check, if you have Storage Table Data Contributer /Storage table data reader roles assigned as commented by #gaurav mantri
If not , you can add them
go into your storage account > IAM > Add role assignment, and add the special permissions
If roles are already assigned , the issue might be due to storage account being protected by firewall. Please try configure in Firewall and virtual networks of your storage account to add an existing virtual network or create a new vnet.If there is no issue you may allow access from all networks.
References:
Authorize access to tables using Active Directory - Azure Storage |
Microsoft Docs
Assign an Azure role for access to table data using powershell -
Azure Storage | Microsoft Docs

Firebase storage access token gets removed when passed as a parameter to firebase dynamic link

I've stored an audio file in firebase storage and I want to pass its url with access token as a parameter to the firebase dynamic link.
I wan to make my file.component,ts available for public share on whatsapp, FB etc and below is the code where I am getting the file parameters
this.activatedRoute.queryParams.subscribe(params => {
this.userName = params["user"];
this.audioPath = params["audio"]; //firebase storage audio with access token
this.docId = params["docId"];
this.docTitle = params["title"];
this.userId = params["userId"];
)
Now I want to pass all the above parameters as a link to the firebase dynamic link http.post call to get a short link.
The audio parameter consists of url to firebase storage access url along with the access token e.g
https://firebasestorage.googleapis.com/v0/b/<site>/o/audio%2Fsong1-min.mp3?alt=media&token=xxxx-xxxxx-xxxx-xxxxx
The moment I pass this audio variable to the dynamic link, it removes the token and reduces the path to
https://firebasestorage.googleapis.com/v0/b/<site>/o/audio%2Fsong1-min.mp3
Hence when I receive the short link it displays all other fields on UI along with the audio tag but the src has the token removed hence external user cannot play the audio if shared on whats app, FB etc.
Is there anyway I can send this firebase storage access url as it is inside the dynamic link so that the audio could play.
I don't believe this is possible in the way you are designing it, Firebase Dynamic Links will take out the token to shorten the link and there is no way to force it not to do it. What you could do is either:
1 - Make the File publicly readable;
2 - Have the file be fetched and processed separetly in your app without using Firebase Dynamic Links;
The problem may be linked to the method that you use to generate the Dynamic Links. The longDynamicLink method of the firebase REST API seems to exclude tokens, but the dynamicLinkInfo seems to keep them, so try that latter instead.
The following error message pops up when using the longDynamicLink approach with a token:
{
warningCode: 'UNRECOGNIZED_PARAM',
warningMessage: "Unrecognized param 'token'. [https://firebase.google.com/docs/dynamic-links/create-manually#ddl_parameters]"
}

Firebase storage rules error: unexpected identifier; function taken from documentation

I am using firebase and am trying to make the storage publicly accessible. According to the firebase documentation I need to include the following code, which I added to the .js file which contains a function that sends user input to storage.
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read, write;
}
}
}
Based off others' problems I've tried:
adding ;-s
changing it to firebase.storage(code),
doing var storage ...
but none of these methods work.
I have my code for configuring firebase (apiKey, authDomain, databaseURL, projectID, and storageBucket) and also initialized the app.
This isn't code that you would put in a JS file, this is a firebase storage security rule. It is a configuration that you would configure in the console for your project (alternatively, you can deploy the rules via the CLI, but they are still not a direct part of your application code).
You should navigate to the rules tab and input the configuration there:
Of course, the rule you are suggesting here is very dangerous!
This rule will allow any user (including unauthenticated users!) to write as much as they want into your storage bucket -- effectively giving you the bill for their free storage. You should consider carefully if this is what you really want.

Implementing multiple account access to a single feature with Firebase

I'm creating a web app with Firebase on the back end where multiple users can access a feature, created by a root user.
The real-time db structure looks like this
project
project id
userID:userID of the user who created it
meta:other information about the project ...
team:
memberid1:{}
memberid2:{}
Until now, I've only allowed the root user to access the project. To do this, I've used the ref.orderByChild('userID').equalsTo(userID of user logged in) method of firebase js sdk to determine if the logged in user can access it because userID is a direct child of projectID.
But now, I want to allow multiple users to access a project. For this I've added a new child called team under which members can be added. But I can't use the aforementioned method to determine if a user who's logged in can access the project because the memberID is a grandchild of the project and hence orderByChild chained with equalTo won't work.
How could I do this with the DB structure as I stated above, and if it's not, how could I do this with a change in DB structure.
get project_id and team members of all projects and store in object with project id and member_id.Then, get project_id of corresponding to member id of logged in user and retrieve the project if project exists.
Yes we can definitely do that,the below code tries to explain that.
var uid = UserId of user logged in
ref.get().then(function(doc) {
if(doc.data().userID == uid || doc.data().team['memberid1] == uid || doc.data().team['memberid2'] == uid) {
\\ checks here whether user is authorized
}
});
One thing to note here is, if there are more than 2 members then this code may not be optimized

List files current user can edit using Google Drive API

I'm trying to use the Google Drive API in Javascript to get a list of files that the signed in user can edit. How do I do this?
I've tried using a files/list request to get the list of files which gets a list of all files by default:
https://developers.google.com/drive/v2/reference/files/list
The request also accepts search parameters:
https://developers.google.com/drive/search-parameters
e.g. to search for files writeable by the user "test#example.org" use 'test#example.org' in writers
I need to be able to say ' [current user's email address] in writers' or something similar for this to work though and I can't see any way to programmatically get the current user's email address.
Should be able to do that with a query like:
'user#example.com' in owners or 'user#example.com' in writers
That'll return files the current user either owns or it where it was shared with them with edit permissions.

Categories