I want to build a tiny story system where users can upload videos.
I'm using Firebase and the frontend will be in flutter.
I'm struggling a bit to design the flow from frontend to my Go backend. What's the simplest way to achieve this ?
From what I understand I could use different flows:
Front ask for an upload signed url to Go backend
Backend generate a gcp storage signed url
Front uploads the video
Front send the link to backend
Backend transcode the video
Backend store the link in firestore
Or
Front use directly firebase storage
Front send the link to backend ?
What's the benefits of using an upload signed url vs directly firebase storage?
Thanks in advance
What's the benefits of using an upload signed url vs directly firebase storage?
Firebase storage offers simplicity of security rules to restrict access while using GCS directly will require you to have a backend to generate signed URLs. I would prefer signed URLs when it's the system does not use Firebase Authentication or you want some validation before the file is uploaded as first place. However most of that can be done using security rules as well.
When using Firebase storage, the upload is simpler just by using uploadBytes() function while signed URLs would require some additional code. An example can be found in this
I am not sure what you mean by 'transcode video' but you can use Cloud Storage Triggers for Cloud Functions and run any actions such as adding URL to Firestore or process video once a file is uploaded.
Related
Okay, I was using Flutter and Firebase to upload data into Cloud Storage. I gained the downloadURL which can be accessible on web if people know the URL. I had enabled Public Access Prevention in Google Cloud Storage Console based on this doc and chose Access Control Uniform for this on doc.
I also had added Security Rule in Firebase Cloud Storage, so only Users with certain custom token can use it. But, it seems useless as everyone can get its downloaded URL. My question is why is that I still able to access the file if I am using the same URL which was I stored in Firestore? You can test it on this url.
Can hacker get the download URL I downloaded from Firestore?
Is there a secure way to download song from Firebase Cloud Storage so hacker won't get its URL?
Thank you for helping me out.
Updated v2:
I just found out that current audio file has its own AuthenticatedUrl as shown on this picture below. How can I get access to this url?
Updated v1:
I think I haven't activated Firebase App Check. Does this feature have ability to prevent it from being accessed publicly or maybe there is other things that I have to do to be able to prevent it being accessed publicly, beside all ways I described above???
Security rules only check if a user can get the download URL and do not restrict anyone from using it. You can use the getData() method instead. It doesn't return any URL and downloads the files directly and is controlled by security rules. So a user must be authenticated to fetch them.
As mentioned in the Answer :
If you're using the FlutterFire Storage library in your app, you can
call getData on a reference to the file to get its data. So with
that you just need to know the path to the data, and you won't need
the download URL in your application. Once you have the data locally,
you can create an image out of it with: Converting a byte array to
image in Flutter?
Unlike download URLs, the call to getData() is
checked by security rules, so you'll have to ensure that the user is
permitted to access the file.
You can also refer to this Answer :
For web apps: in the JavaScript/Web SDK using a download URL is the
only way to get at the data, while for the native mobile SDKs we also
have getData() and getFile() methods, which are enforced through
security rules.
Until that time, if signed URLs fit your needs
better, you can use those. Both signed URLs and download URLs are just
URLs that provide read-only access to the data. Signed URLs just
expire, while download URLs don't.
For more information, you can refer to this Github issue where a similar issue has been discussed.
I need to store my service data in Google Storage and let my users download files depending on their (users) access rights.
I've already made service that connects to Google Storage using server-centric mechanism, and transfers them to client-side, but I need client-side to go to Storage and download file without server-side.
I've tried to use temporary links for files, but I can't check, if user downloaded file or not to properly delete temporary link.
I've tried to look for oauth2 support, but it seems Google doesn't support oauth in such way (When my service decides to allow access or no).
The best solution is to generate tokens for users and if Google Storage would call my service before every file download.
How can I achieve that?
Since firebase hosting only serve static pages, can I serve [dynamically generated] AMP pages with firebase-storage?
Now with firebase cloud functions, you can use an all-firebase solution:
As an answer to an http request, you can query the database and dynamically generate a amp/html page that is send to the browser.
Here is my approach generating an html page Firebase HTTP Cloud Functions - Read database once
By now I have developed it further to serve an amp page.
If I understand AMP correctly, it can be used entirely statically, so there's no reason an AMP page couldn't be hosted on Firebase Hosting.
If you're doing dynamic rendering, you'll want to use App Engine, Compute Engine, or Kubernetes (or similar tech on different cloud platforms).
You can set up a bucket on Google Cloud Storage as a website. See this article:
https://cloud.google.com/storage/docs/hosting-static-website
You can also use the firebase storage bucket for that, because firebase storage === google cloud storage.
Regards, Peter
I am trying to figure out which is better: resumable upload or signed url. For upload only. Does anyone know if one uploadid can be used by multiple uploads? Or how can a user upload multiple files using one uploadid?
If your goal is to allow users without Google credentials to upload objects, signed URLs are your best bet. This is their intended purpose.
You can use uploadIds to accomplish the same goal, but they are much less featureful in this regard. For example, they do not support setting expiration times, and the server must set all parameters other than the data itself.
I have a Google Cloud Endpoints wich is using Cloud SQL to store data. I want to provide a file upload for Clients and the files should be stored in Cloud Storage but I also want to store file meta data and the file storage url in Cloud SQL.
What's the best was to do this?
Can I upload files through cloud endpoints or do I need an extra upload Servlet?
How can I update my database entities which needs a reference to the uploaded files.
Any examples on how to combine those 3 technologies?
Assuming your clients are not added to your google cloud project (which is typically the case), your users don't have write access to your GCS bucket. You can either submit files to your application and move to GCS from there (not recommended as consumes more network and CPU) or a better way is to submit to GCS directly.
To let the client write to your GCS bucket directly, you will need to either:
1. put your access key on client for write access (not recommended), if the client is used by limited trusted people.
2. generate a time-bound token and put it on the client as signed URL to upload directly.
Endpoints APIs themselves cannot do this, but you can generate the signed GCS URL at the server and get it using endpoints on client. then set it as form action (on web client, other clients have similar ways for signed upload) and submit the form to upload the file.
<form action="SIGNED_URL_FROM_ENDPOINTS" method="post" enctype="multipart/form-data">
I don't see an open-source code out there doing exactly this, but closest is this project that does generate the signed URL with a time-out (the only unintuitive part).
Best way to update the metadata in your database is to watch GCS bucket using 'Object Change Notifications'. Another way is to send the metadata to your server from client itself, which can be an endpoints call. You can also use a mix of both where the metadata goes to server using endpoints even before the the file is uploaded and the notification updates the record with confirmation that it is available to serve.