firebase sessio cookies (create_session_cookie) working in combination with firebase storage
I have firebase authentication running nicely using using the create_session_cookie function in the server SDK.
session_cookie = auth.create_session_cookie(id_token, expires_in=expires_in)
response.set_cookie('session', session_cookie,
expires=expires, httponly=True, secure=False)
This work great to have persistent and secure tokens (secure flag is false as we are still in dev stage). Now here comes the question /problem:
After exploring our options for a while we would like to try out firebase storage such that our firebase authenticated users can directly upload their (very large > 1 GB) files to our firebase storage. while the storage itself is working, request.auth seems to be null (although I did not logout of firebase), while the firebase storage documentation claims I could use this while beeing logged in to firebase:
https://firebase.google.com/docs/storage/security/
Then I discoverd that in the "manage session cookie documentation" actually mentions that
Firebase session cookies cannot be used with other Firebase services
due to their custom validity period
https://firebase.google.com/docs/auth/admin/manage-cookies
It seems stupid but is it realy true that the firebase does not allow to use its own cookie to be used in their storage ??
So my question is can firebase session cookies somehow be used for security rules inside firebase storage, if yes how? If not, what would be the next best option using firebase storage? I really tried a long time to find something, but found nothing.
Thanks.
firebase firebase-authentication session-cookies firebase-storage firebase-security-rules
add a comment |
I have firebase authentication running nicely using using the create_session_cookie function in the server SDK.
session_cookie = auth.create_session_cookie(id_token, expires_in=expires_in)
response.set_cookie('session', session_cookie,
expires=expires, httponly=True, secure=False)
This work great to have persistent and secure tokens (secure flag is false as we are still in dev stage). Now here comes the question /problem:
After exploring our options for a while we would like to try out firebase storage such that our firebase authenticated users can directly upload their (very large > 1 GB) files to our firebase storage. while the storage itself is working, request.auth seems to be null (although I did not logout of firebase), while the firebase storage documentation claims I could use this while beeing logged in to firebase:
https://firebase.google.com/docs/storage/security/
Then I discoverd that in the "manage session cookie documentation" actually mentions that
Firebase session cookies cannot be used with other Firebase services
due to their custom validity period
https://firebase.google.com/docs/auth/admin/manage-cookies
It seems stupid but is it realy true that the firebase does not allow to use its own cookie to be used in their storage ??
So my question is can firebase session cookies somehow be used for security rules inside firebase storage, if yes how? If not, what would be the next best option using firebase storage? I really tried a long time to find something, but found nothing.
Thanks.
firebase firebase-authentication session-cookies firebase-storage firebase-security-rules
Since cookies are server side, you can validate them on your server and use Firebase Admin SDK to access that user's storage after verifying the payload of the session cookie and the user it belongs to.
– bojeil
Dec 3 '18 at 23:02
add a comment |
I have firebase authentication running nicely using using the create_session_cookie function in the server SDK.
session_cookie = auth.create_session_cookie(id_token, expires_in=expires_in)
response.set_cookie('session', session_cookie,
expires=expires, httponly=True, secure=False)
This work great to have persistent and secure tokens (secure flag is false as we are still in dev stage). Now here comes the question /problem:
After exploring our options for a while we would like to try out firebase storage such that our firebase authenticated users can directly upload their (very large > 1 GB) files to our firebase storage. while the storage itself is working, request.auth seems to be null (although I did not logout of firebase), while the firebase storage documentation claims I could use this while beeing logged in to firebase:
https://firebase.google.com/docs/storage/security/
Then I discoverd that in the "manage session cookie documentation" actually mentions that
Firebase session cookies cannot be used with other Firebase services
due to their custom validity period
https://firebase.google.com/docs/auth/admin/manage-cookies
It seems stupid but is it realy true that the firebase does not allow to use its own cookie to be used in their storage ??
So my question is can firebase session cookies somehow be used for security rules inside firebase storage, if yes how? If not, what would be the next best option using firebase storage? I really tried a long time to find something, but found nothing.
Thanks.
firebase firebase-authentication session-cookies firebase-storage firebase-security-rules
I have firebase authentication running nicely using using the create_session_cookie function in the server SDK.
session_cookie = auth.create_session_cookie(id_token, expires_in=expires_in)
response.set_cookie('session', session_cookie,
expires=expires, httponly=True, secure=False)
This work great to have persistent and secure tokens (secure flag is false as we are still in dev stage). Now here comes the question /problem:
After exploring our options for a while we would like to try out firebase storage such that our firebase authenticated users can directly upload their (very large > 1 GB) files to our firebase storage. while the storage itself is working, request.auth seems to be null (although I did not logout of firebase), while the firebase storage documentation claims I could use this while beeing logged in to firebase:
https://firebase.google.com/docs/storage/security/
Then I discoverd that in the "manage session cookie documentation" actually mentions that
Firebase session cookies cannot be used with other Firebase services
due to their custom validity period
https://firebase.google.com/docs/auth/admin/manage-cookies
It seems stupid but is it realy true that the firebase does not allow to use its own cookie to be used in their storage ??
So my question is can firebase session cookies somehow be used for security rules inside firebase storage, if yes how? If not, what would be the next best option using firebase storage? I really tried a long time to find something, but found nothing.
Thanks.
firebase firebase-authentication session-cookies firebase-storage firebase-security-rules
firebase firebase-authentication session-cookies firebase-storage firebase-security-rules
edited Nov 22 '18 at 15:24
Frank van Puffelen
230k28376400
230k28376400
asked Nov 22 '18 at 9:08
Caspar GoekeCaspar Goeke
11
11
Since cookies are server side, you can validate them on your server and use Firebase Admin SDK to access that user's storage after verifying the payload of the session cookie and the user it belongs to.
– bojeil
Dec 3 '18 at 23:02
add a comment |
Since cookies are server side, you can validate them on your server and use Firebase Admin SDK to access that user's storage after verifying the payload of the session cookie and the user it belongs to.
– bojeil
Dec 3 '18 at 23:02
Since cookies are server side, you can validate them on your server and use Firebase Admin SDK to access that user's storage after verifying the payload of the session cookie and the user it belongs to.
– bojeil
Dec 3 '18 at 23:02
Since cookies are server side, you can validate them on your server and use Firebase Admin SDK to access that user's storage after verifying the payload of the session cookie and the user it belongs to.
– bojeil
Dec 3 '18 at 23:02
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53427294%2ffirebase-sessio-cookies-create-session-cookie-working-in-combination-with-fire%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53427294%2ffirebase-sessio-cookies-create-session-cookie-working-in-combination-with-fire%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Since cookies are server side, you can validate them on your server and use Firebase Admin SDK to access that user's storage after verifying the payload of the session cookie and the user it belongs to.
– bojeil
Dec 3 '18 at 23:02