DEV Community

[Comment from a deleted post]
 
r002 profile image
Robert Lin

Hi David!

So, two quick notes:

First-- yes, regarding the downloadUrl-- I believe you are correct: The moment any file is uploaded to FB Storage, the Google Team, in their infinite wisdom, appears to have decided to by default create a mandatory public url that links to the storage asset. There are ways to bypass this if you're using GCP but with FB, it seems like we don't have a choice. Todd, Frank, David, Doug, et al all strike me as genius-level people so I'm sure there's a legit design decision for this impl. But I have no idea what it is. To me, it just seems like a potential security disaster waiting to happen… automatically creating a "public url backdoor" to any FB storage asset seems… not good? 🤔

(Again, I'm new to FB though so I feel like I honestly must be missing something or am incompletely understanding somewhere. Please lmk if so!)

Second-- so my approach is similar to the one you describe but also different in one significant way (I think). Just so I understand your solution though: In your example, where you specified the endpoint of
https://firebasestorage.googleapis.com/.../photo.jpg
and then manually send in the header:
'Authorization': Bearer ${firebase_user_auth_token}

What is ${firebase_user_auth_token} in this example? Are you getting it from here?

 
daviddalbusco profile image
David Dal Busco

I wish I would still be able to have a look to my source code to answer your question regarding firebase_user_auth_token but, as I ditched my concept and went with the dowloaUrl, gonna be hard to find and remember. Honestly don't remember spontaneously, really sorry. Not sure if it is one I fetch with the Firebase SDK or one I define, get and add "manually" as metadata to the assets.

Thanks again for all the feedbacks, really interesting inputs and ideas!

 
r002 profile image
Robert Lin

No worries! 👍 Again, thanks for sharing all of this info on Firebase Storage-- it's super-helpful! Gracias!! 🙏