Reputation: 360
Is it safe to store only the Firebase Storage download URL token (not the full path)?
I have an Angular app using Firebase Storage to store user uploaded photo files. After the user uploads a file, I call getDownloadURL() (returns Observable) to get the full public URL path. I want to store the URL string in a Firestore database so it can be bound to an img html element src property for display on a web page. That will save me from having to call the Storage API to get every image URL one-by-one asynchronously.
This URL includes a token value in the query string which I assume is un-guessable and used for security as a sort of password. To save space, should I only store the token in the database? I can assemble the rest of the cloud folder path using variables - the token is the unique part. The full URL path is quite long as you can see. Do you think the rest of the URL path will ever change?
Example Firebase Storage download URL (not real)
https: -- //firebasestorage.googleapis.com/ -- v0/b/my-bucket-name-goes-here/o/T4uk5DnzXlO1C7hs9HrSdb7yxsM2%2Fthumb%2FcX2kCobDqdRgN3snefYh.jpg?alt=media&token=238b33ad-f823-4876-a5e2-626ca157ed10
Upvotes: 5
Views: 1854
Answers (1)
Reputation: 317467
The only guarantee that you receive from the API is that the entire URL will fetch the file in storage. You should treat it opaquely and not try to break down or interpret its components.
Upvotes: 2
Related Questions
- Firebase Cloud Storage download url vs path
- Firebase storage download url token expire
- Getting Download URL from Firebase storage in Angular
- Firebase Storage getDownloadUrl's token validity
- How to change firebase storage access token to download url?
- Is the download URL permanent?
- Firebase storage: files always accessible via URL?
- Firebase web: Storage Location from Download URL
- Firebase Storage share download url a security risk?
- Firebase Storage - Download URL different from actual Download URL in the console (token differs)