I have a small app, i begin with IONIC and for the moment i store the token in the local storage. For the user informations (such as first name, last name or avatar for instance), how can i get that ? Should i make only one call and save those informations as an object in the local storage ? Or otherwise make a function which can get these informations when i need rather than saving that in a local storage ?
The main question is, is it safe to store user informations in a local storage ?
In general you could rely on localStorage with a Cordova app: in fact it is under the Cordova/app sandbox.
Some details and alternative (on iOS) are in this post:
http://developer.telerik.com/featured/securing-phonegapcordova-hybrid-mobile-app/
Another alternative is to use some plugin like the following:
https://github.com/Crypho/cordova-plugin-secure-storage
Related
Okay, I was using Flutter and Firebase to upload data into Cloud Storage. I gained the downloadURL which can be accessible on web if people know the URL. I had enabled Public Access Prevention in Google Cloud Storage Console based on this doc and chose Access Control Uniform for this on doc.
I also had added Security Rule in Firebase Cloud Storage, so only Users with certain custom token can use it. But, it seems useless as everyone can get its downloaded URL. My question is why is that I still able to access the file if I am using the same URL which was I stored in Firestore? You can test it on this url.
Can hacker get the download URL I downloaded from Firestore?
Is there a secure way to download song from Firebase Cloud Storage so hacker won't get its URL?
Thank you for helping me out.
Updated v2:
I just found out that current audio file has its own AuthenticatedUrl as shown on this picture below. How can I get access to this url?
Updated v1:
I think I haven't activated Firebase App Check. Does this feature have ability to prevent it from being accessed publicly or maybe there is other things that I have to do to be able to prevent it being accessed publicly, beside all ways I described above???
Security rules only check if a user can get the download URL and do not restrict anyone from using it. You can use the getData() method instead. It doesn't return any URL and downloads the files directly and is controlled by security rules. So a user must be authenticated to fetch them.
As mentioned in the Answer :
If you're using the FlutterFire Storage library in your app, you can
call getData on a reference to the file to get its data. So with
that you just need to know the path to the data, and you won't need
the download URL in your application. Once you have the data locally,
you can create an image out of it with: Converting a byte array to
image in Flutter?
Unlike download URLs, the call to getData() is
checked by security rules, so you'll have to ensure that the user is
permitted to access the file.
You can also refer to this Answer :
For web apps: in the JavaScript/Web SDK using a download URL is the
only way to get at the data, while for the native mobile SDKs we also
have getData() and getFile() methods, which are enforced through
security rules.
Until that time, if signed URLs fit your needs
better, you can use those. Both signed URLs and download URLs are just
URLs that provide read-only access to the data. Signed URLs just
expire, while download URLs don't.
For more information, you can refer to this Github issue where a similar issue has been discussed.
Using the firebase platform..
I would like to save some custom information about a user once they register.. and just for examples sake, lets say his/her favorite color.
So far when I register a user this is the only meta data I get
What options are at my disposal to get this done?
You have two options:
1 - Use Custom Claims
You can save additional data to the access token of the user. You can read that data directly from the user in the frontend and also in all database rules. I would recommend to use this for basic auth data like isAdmin or isRole if there are not much data to save. The reason for that is that it's quite limited in the amount of data you can save. Because it's saved in the token it has to be small so you should not save to much in it. You can find more about it here. You should edit this fields by a firebae cloud function using the admin sdk.
2 - Use one of the databases
I see it very often and it's quite common in Firebase to store such additional user data into one of the Firebase databases. You can make those 1000% securely by allowing only the user to write and read then or only to read depending on your needs. If you want to save more than just simple data I would recommend this. One reason more is if any other user like admin needs that data from another user you would not be able to get it by using the first option. It is also much easier to do it when the user needs to save data for himself and by himself. With the first version you would always need to involve cloud functions.
I very often use combination of both where I save such data like isAdmin to the custom claims but all other like nickname or some settings like language to a database. With the database I can also make it very easy to search through all users when you are an admin.
I want to restrict access to Firebase Storage objects with storage rules and custom claims on authenticated users. Both cool features, good for scaling.
My problem however is:
The Firebase Storage download link allows public access, no matter the rules.
My download link given by getDownloadURL() is:
https://firebasestorage.googleapis.com/v0/b/***myappname***.appspot.com/o/logos%2F1618740110634.png?alt=media&token=bdf6a5c5-54a2-4211-aa40-85177a38210a
My rules are:
match /{allPaths=**} {
allow read, write: if false;
}
What link then should I use to restrict access to authenticated users only and for checking custom claims with for my admin (excel reports) files? I am very confused.
Have tried direct links, without the token at the end, the given storage location link.
With the public link, anyone has access I don't want them to have.
Using Flutter mobile and web.
The getDownloadURL() always returns a public URL. Everyone who has it can access the file.
There are short lived signed token URLs but they are not supported on native device SDKs.
The downloadURL is very secure. If someon does not have it no one will get to your file. So the magic here is to not share it anywere and to get what you would like work only with references. Only if someone has access to your reference (according to the storage rules) he can generate the downloadURL.
I would recommend to work in your app only with those references and only get the downloadURL when you realy want to access the file in App or open it.
In the firebase storage rules you can then use auth and the customClaims to define who can access the file references.
Once a downloadURL is generated the firebase storage rules don't matter. The file will be accessible over that link.
I was trying to host a website on firebase and this keeps coming up enter image description here
If you want to initialize a Firebase project using the CLI (like you're doing), and you want to use Firestore or Storage, you first have to go into the Firebase admin console, click on Firestore and/or Storage, and select a location/region for your database/storage buckets. The error you're getting is that you're trying to set up Storage but you haven't yet set a Storage location for your buckets.
I need to store my service data in Google Storage and let my users download files depending on their (users) access rights.
I've already made service that connects to Google Storage using server-centric mechanism, and transfers them to client-side, but I need client-side to go to Storage and download file without server-side.
I've tried to use temporary links for files, but I can't check, if user downloaded file or not to properly delete temporary link.
I've tried to look for oauth2 support, but it seems Google doesn't support oauth in such way (When my service decides to allow access or no).
The best solution is to generate tokens for users and if Google Storage would call my service before every file download.
How can I achieve that?