I am making a app that allows users to upload images to their profile page. I was using firebase Storage to store the images using a folder for each user. The problem I have is the Url for the images are accessible without evening signing into my app. Can I limit access to users that have signed in to my app? Im using a custom sign in token. Or do I need to switch to another storage provider.
It sounds like you're using Firebase Storage's download URLs. These are (by definition) URLs that give anyone who has them read-only access to the file. Download URLs are only generated when you call getDownloadUrl() (or the equivalent method on the platform you use). So if you don't want this behavior, don't call getDownloadUrl().
If you don't have a download URL, the files in Storage are only available by using the Firebase SDK. At that point all access to the files is secured through the security rules that you've defined for your project. For more on this, see the Firebase documentation on securing access to files.
Related
I've found that with https://www.googleapis.com/auth/drive scope, my app can read all existing files (and their contents) in a Google Drive, but when I auth the app, it says that this scope can also delete files in the drive and I don't want to grant that.
I know that by itself https://www.googleapis.com/auth/drive.file only allows the app to read files created by the app itself or especially granted access.
I've tried other combinations, but can't find one where the the app can read the contents of any file I can see, but can't delete anything. This is the closest I've come:
https://www.googleapis.com/auth/drive.metadata
https://www.googleapis.com/auth/drive.file
https://www.googleapis.com/auth/drive.activity
https://www.googleapis.com/auth/documents
Is there a combination that will achieve my goal?
Based on your needs, you should be eyeing https://www.googleapis.com/auth/drive.readonly. This enables you to read the file metadata and content.
Allows read-only access to file metadata and file content.
Resource:
Scopes
There isn't one if you have access to read and write to a file then you will also have access to delete that file.
Its how they have permissions setup.
If you don't want to upload and only download try drive readonly.
scopes#drive
If you're not intending to create any files or save any data to Drive, then you have the https://www.googleapis.com/auth/drive.readonly scope.
Note that this is a restricted scope that will grant your app with read-only access to the user's entire Drive, but it will also prevent your app from creating any new files or editing existing ones.
If you want your application to be able to access the entire Drive, and you're planning to release your app to the public, you should submit your application to a restricted scope verification and security assessment; otherwise your app will be limited to 100 users, and users will see a warning while your app is unverified.
Here's more information:
OAuth 2.0 Scopes for Google APIs - Drive API, v3
Additional Requirements for Specific API Scopes section in the Google API Services User Data Policy
OAuth API verification FAQs
I am developing a LMS in Laravel and uploading all the video files to aws s3 bucket and can play them using video js player. But problem is, users can download the video files, which I want to stop. Can anybody suggest me is it possible or not? If possible, can anyone tell me how can I do that?
Objects in Amazon S3 are private by default.
However, if you wish students to make use of a file (eg a learning course video), you will need to grant access to the file. The best way to do this is by using Amazon S3 pre-signed URLs, which provide time-limited access to a private object.
For example, the flow would be:
A students logs into the LMS
A student requests access to a course
The LMS checks whether they are entitled to view the course (using your own business logic)
If they are permitted to use the course, the LMS generates a pre-signed URL using a few lines of code, and returns the link in a web page (eg via an <a> tag).
The student can access the content
Once the expiry duration has passed, the pre-signed URL no longer works
However, during the period where the student has access to the file, they can download it. This is because access has been granted to the object. This is necessary because the web browser needs access to the object.
The only way to avoid this would be to provide courseware on a 'streaming' basis, where there is a continuous connection between the frontend and backend. This is not likely to be how your LMS is designed.
Question: Say a user uploads highly confidential information. This is placed in a third party storage server. This third party bucket uses different authentication systems to the web application. What is the best practice for ensuring only the user or an admin staff member can access the file url?
More Context: A Django web application is running on Google App Engine Flexible. Google Storage is used to serve static and media files through Django. The highly confidential information is passports, legal contracts etc.
Static files are served in a fairly insecure way. The /static/ bucket is public, and files are served through django's static files system. This works because
there is no confidential or user information in any of our static
files, only stock images, css and javascript, and
the files are uglified and minifed before production.
For media files however, we need user specific permissions, if user A uploads an image, then user A can view it, staff can view it, but user B & unauthenticated users cannot under any circumstances view it. This includes if they have the url.
My preferred system would be, that GCP storage could use the same django authentication server, and so when a browser requested ...google.storage..../media/user_1/verification/passport.png, we could check what permissions this user had, compare it against the uploaded user ID, and decide whether to show a 403 or the actual file.
What is the industry standard / best practice solution for this issue?
Do I make both buckets only accessible to the application, using a service account, and ensure internally that the links are only shared if the correct user is viewing the page? (anyone for static, and {user or staff} for media?)
My questions, specifically (regarding web application security):
Is it safe to serve static files from a publicly readable bucket?
Is it okay to assume that if my application requests a file url, that this is from an authenticated user?
Specifically with regards to Django & GCP Storage, if 2 is false (I believe it is) how do I ensure that files served from buckets are
only visible to users with the correct permissions?
Yes, it is. Public readable buckets are made for that. Things like, CSS, the logo of you company or some files that have no sensible data are safe to share.
Of course, do not use the same Public bucket to store private/public stuff. Public with Public, Private with Private.
Here is the problem. When you say "authenticated user", to whom you want that user to be authenticated to?
For example, if you authenticate your user using any Django methods, then the user will be authenticated to Django, but for Cloud Storage it will be an stranger. Also, even a user authorized on GCP may not be authorized to a bucket on Cloud Storage.
The important thing here is that the one that communicates back and forth with Cloud Storage is not the User, its Django. It could achieve this by using the python SDK of Cloud Storage, which takes the credentials of the service account that is being used on the instance to authenticate any request to Cloud Storage. So, the service account that is running the VM (because you are in Flexible) is the one that should be authorized to Cloud Storage.
You must first authorize the user on Django and then check if the User is able to access this file by other means(Like storing the name of the file he uploaded in a user_uploaded_files table).
Regarding your first question at the top of the post, Cloud Storage lets you create signed urls. This urls allow anyone on the internet to upload/download files from Cloud Storage by just holding the url. So you only need to authorize the user on Django to obtain the signed url and that's it. He does not need to be "authorized" on Cloud Storage(because the url already does it)
Taken from the docs linked before:
When should you use a signed URL?
In some scenarios, you might not
want to require your users to have a Google account in order to access
Cloud Storage, but you still want to control access using your
application-specific logic. The typical way to address this use case
is to provide a signed URL to a user, which gives the user read,
write, or delete access to that resource for a limited time. Anyone
who knows the URL can access the resource until the URL expires. You
specify the expiration time in the query string to be signed.
Following on from Nahuel Varela's answer:
My system now consists of 4 buckets:
static
media
static-staging
media-staging
Both the static buckets are public, and the media buckets are only accessible to the app engine service account created within the project.
(The settings are different for dev / test)
I'm using the django-storages[google]with #elnygrens modification. I modified this to remove the url method for Media (so that we create signed URLS) but keep it in for static (so that we access the public URL of the static files).
The authentication of each file access is done in Django, and if the user passes the test (is_staff or id matches file id), then they're given access to the file for a given amount of time (currently 1 hour), this access refreshes when the page loads etc.
Follow up question: What is the best practice for this time limit, I've heard people use anywhere from 15mins to 24 hours?
Currently my website runs on google app engine with Django and my static files are served using google cloud storage. I had explored the documentations and I could not find a easy way to serve my static files securely.
Let say i am logged in as a user into Django site. I only want the logged in user to see the picture and other user can't see the picture.
Currently the picture is serve using a link to the google cloud storage and the access are made public.
However, that means that anyone with that link can view that picture. How do i make sure that only the logged in person with the link can view the image instead of everyone with the link can view it, is there any way to do it with google app engine standard, google cloud storage and Django?
I also know that google cloud storage can have some form of access control but how do i link that part with Django users?
Maybe you can set your bucket acl to private and implement Signed URL feature for your purpose.
https://cloud.google.com/storage/docs/access-control/signed-urls
For Python take a look at documentation about signed URLs: https://googleapis.github.io/google-cloud-python/latest/storage/blobs.html#google.cloud.storage.blob.Blob.generate_signed_url
I have people uploading video content and I'd like to restrict the video content to ONLY be streamed from my site. Since the video URLs in the video tag are easily accessible through the HTML source, I was to stop people from copying the direct s3 url and putting it in another tab.
I was looking over the docs here: http://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPolicyLanguage_ElementDescriptions.html#Condition
But it wasn't immediately obvious to me.
Thanks for your help!
You need to make this bucket private and use the signed URL to give access only to your users on your website. Signed URLs have short life (and required policy baked into it) when you generate them. This will prevent misuse even if somebody steals the URLs (or sends you the faked referrer headers etc).
You can create these URLs manually (difficult to manage) or programmatically (some coding work required). In the second case, once your website user contacts your server, then generate and serve the auto-expiring URL. Use this URL then on your website.
Overview of Signed URLs - Amazon CloudFront.