Since firebase hosting only serve static pages, can I serve [dynamically generated] AMP pages with firebase-storage?
Now with firebase cloud functions, you can use an all-firebase solution:
As an answer to an http request, you can query the database and dynamically generate a amp/html page that is send to the browser.
Here is my approach generating an html page Firebase HTTP Cloud Functions - Read database once
By now I have developed it further to serve an amp page.
If I understand AMP correctly, it can be used entirely statically, so there's no reason an AMP page couldn't be hosted on Firebase Hosting.
If you're doing dynamic rendering, you'll want to use App Engine, Compute Engine, or Kubernetes (or similar tech on different cloud platforms).
You can set up a bucket on Google Cloud Storage as a website. See this article:
https://cloud.google.com/storage/docs/hosting-static-website
You can also use the firebase storage bucket for that, because firebase storage === google cloud storage.
Regards, Peter
Related
I want to build a tiny story system where users can upload videos.
I'm using Firebase and the frontend will be in flutter.
I'm struggling a bit to design the flow from frontend to my Go backend. What's the simplest way to achieve this ?
From what I understand I could use different flows:
Front ask for an upload signed url to Go backend
Backend generate a gcp storage signed url
Front uploads the video
Front send the link to backend
Backend transcode the video
Backend store the link in firestore
Or
Front use directly firebase storage
Front send the link to backend ?
What's the benefits of using an upload signed url vs directly firebase storage?
Thanks in advance
What's the benefits of using an upload signed url vs directly firebase storage?
Firebase storage offers simplicity of security rules to restrict access while using GCS directly will require you to have a backend to generate signed URLs. I would prefer signed URLs when it's the system does not use Firebase Authentication or you want some validation before the file is uploaded as first place. However most of that can be done using security rules as well.
When using Firebase storage, the upload is simpler just by using uploadBytes() function while signed URLs would require some additional code. An example can be found in this
I am not sure what you mean by 'transcode video' but you can use Cloud Storage Triggers for Cloud Functions and run any actions such as adding URL to Firestore or process video once a file is uploaded.
Okay, I was using Flutter and Firebase to upload data into Cloud Storage. I gained the downloadURL which can be accessible on web if people know the URL. I had enabled Public Access Prevention in Google Cloud Storage Console based on this doc and chose Access Control Uniform for this on doc.
I also had added Security Rule in Firebase Cloud Storage, so only Users with certain custom token can use it. But, it seems useless as everyone can get its downloaded URL. My question is why is that I still able to access the file if I am using the same URL which was I stored in Firestore? You can test it on this url.
Can hacker get the download URL I downloaded from Firestore?
Is there a secure way to download song from Firebase Cloud Storage so hacker won't get its URL?
Thank you for helping me out.
Updated v2:
I just found out that current audio file has its own AuthenticatedUrl as shown on this picture below. How can I get access to this url?
Updated v1:
I think I haven't activated Firebase App Check. Does this feature have ability to prevent it from being accessed publicly or maybe there is other things that I have to do to be able to prevent it being accessed publicly, beside all ways I described above???
Security rules only check if a user can get the download URL and do not restrict anyone from using it. You can use the getData() method instead. It doesn't return any URL and downloads the files directly and is controlled by security rules. So a user must be authenticated to fetch them.
As mentioned in the Answer :
If you're using the FlutterFire Storage library in your app, you can
call getData on a reference to the file to get its data. So with
that you just need to know the path to the data, and you won't need
the download URL in your application. Once you have the data locally,
you can create an image out of it with: Converting a byte array to
image in Flutter?
Unlike download URLs, the call to getData() is
checked by security rules, so you'll have to ensure that the user is
permitted to access the file.
You can also refer to this Answer :
For web apps: in the JavaScript/Web SDK using a download URL is the
only way to get at the data, while for the native mobile SDKs we also
have getData() and getFile() methods, which are enforced through
security rules.
Until that time, if signed URLs fit your needs
better, you can use those. Both signed URLs and download URLs are just
URLs that provide read-only access to the data. Signed URLs just
expire, while download URLs don't.
For more information, you can refer to this Github issue where a similar issue has been discussed.
Do you know if by making the images "Public" in IBM Cloud Object Storage it really becomes public meaning you can find the resources through web browser as google? or it becomes like "shared via link" because IBM COS provides a link, and that works just fine for the Watson Assistant image responses, but are those images unsafe somehow?
When making a folder in S3 / IBM Cloud Object Storage (COS) PUBLIC, the content is accessible. Because there are tools (and attackers) that scan for host names, IP addresses and available services, there is a chance that a scanner might find the offered resources (images). Public is public.
I have used images stored on COS in a public folder for chatbots developed with IBM Watson Assistant in image responses. If you use the web chat feature and users access the chatbot, they could download the images - the images are "public".
I have seen the tutorial for starting the cloud functions and creating a guestbook on IBM Cloud, but when trying to connect an App ID it actually requires an application and not a Cloud Functions API.
So how can I connect them? Is there some tutorial somewhere? What needs to be considered?
depending on what you want to do, take a look in https://console.bluemix.net/docs/services/appid/relatedlinks.html#secure.
Specifically one of
Securing your Cloud Functions API
Securing your serverless Cloud Functions mobile backend with App ID
Tutorial: GitHub traffic analytics with Cloud Functions and Cloud Foundry
Cloud Functions supports OAuth 2.0 user authorization out of the box and you can bound your App ID instance directly to it.
Here's a fairly recent tutorial showing the steps:
https://www.ibm.com/cloud/blog/authenticating-users-with-cloud-functions-api-gateway-and-app-id
If you're looking to automatically initiate a new authentication flow as in redirect to the an identity provider where you're user will sign in, you'll have to either add logic to your application using an OIDC SDK (For instance App ID's: https://github.com/ibm-cloud-security/appid-serversdk-nodejs/) or add it manually handle the flow from a set of actions.
If you go the action approach, you'll have to keep in mind that they are ephemeral and can't keep session state, so you'll have to keep secure cookies in the user's browser.
Hello l will like to set Google Cloud Storage to work only in some domain. example l store videos in the google cloud but l don't want other website to use then.
also l try to use the public but they still use the url
This isn't a built-in feature of GCS. However, you could implement it by making the videos private but having an app engine app that checked the referer of incoming requests and either failed or returned a signed URL for accessing the video.