Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Understanding Firebase Storage tokens

Tags:

I'm trying to understand how tokens work in Firebase Storage.

Whenever my web app uploads an image to FS it adds a token to its public url. The problem is whenever you upload that same image file to another part of the web app, it seems like you don't get another file, but a different token for the file url that was already uploaded, thus rendering a 403 error for the previous registered image display.

Is there a way to solve this?

Example:

storageRef.put(picture.jpg);
uploadTask.snapshot.downloadURL 
// returns something like https://firebasestorage.googleapis.com/v0/b/<your-app>/o/picture.jpg?alt=media&token=09cb2927-4706-4e36-95ae-2515c68b0d6e

That url is then displayed somewhere inside an img src.

<img src="https://firebasestorage.googleapis.com/v0/b/<your-app>/o/picture.jpg?alt=media&token=09cb2927-4706-4e36-95ae-2515c68b0d6e">

If the user repeats the process and uploads the same picture.jpg in another section of the app, instead of getting a brand new copy in Firebase Storage, the file is overwritten with an URL ending with a new token; say 12345.

So:

 <img src="https://...picture.jpg?alt=media&token=12345"> // New upload renders fine
 <img src="https://...picture.jpg?alt=media&token=09cb2927-4706..."> // But old upload breaks because of wrong url
like image 229
cerealex Avatar asked Sep 02 '16 13:09

cerealex


People also ask

What is token in Firebase Storage?

A Firebase download URL is a long-lived, publicly accessible URL that is used to access a file from Cloud Storage. The download URL contains a download token which acts as a security measure to restrict access only to those who possess the token.

Do Firebase Storage tokens expire?

The Firebase Storage token does not expire (see Stack Overflow). Therefore, without any other modifications, our downloadUrl also never expires and remains available.

How do I use tokens in Firebase?

Firebase gives you complete control over authentication by allowing you to authenticate users or devices using secure JSON Web Tokens (JWTs). You generate these tokens on your server, pass them back to a client device, and then use them to authenticate via the signInWithCustomToken() method.

Where does Firebase store token?

Token can be found in firebaseLocalStorageDB.


2 Answers

Tokens are unique for a particular version of an upload. If you overwrite the file with new content, then a new token will be generated with a new unguessable url.

So in other words, tokens are unique for a particular blob -- they are not unique per storage location. We did this as an increased measure of security to ensure that developers and end users did not accidentally expose data they did not intend.

You can, however, translate the storage location ("gs://mybucket/myfile.png") into a download url using our js SDK. That way, you can pass around the gs uri if you wish and translate it to a full URL once you want to place it into an image.

See: https://firebase.google.com/docs/reference/js/firebase.storage.Reference.html#getDownloadURL

like image 105
Benjamin Wulfe Avatar answered Sep 21 '22 11:09

Benjamin Wulfe


For public file upload: If you upload files in firebase functions you'll need to call makePublic() on the reference object in order to make it accessible without having a valid token.

like image 22
haxpanel Avatar answered Sep 18 '22 11:09

haxpanel