I wondered how could I get a publicly accessible url for a timeline item attachment (like an image) that doesn't require authentication to access it?
This is unfortunately not possible as image attachments are private to the user: they indeed require an access token to be retrieved.
The only way you could make the image publicly available is by providing some sort of proxy that would fetch the image using a stored token and returning it to the requester.
Related
I am using active storage in my Rails application. The frontend is on React. I am uploading an image via react uploader and sending that image to the backend API where I am storing it to S3 bucket using active storage.
This is the API that handles the image:
if image.attached?
opts = ImageUploader.resize_to_fill(blob: image.blob, width: 100)
variation = ActiveStorage::Variation.new(combine_options: opts)
variant = ActiveStorage::Variant.new(image.blob, variation)
return rails_representation_url(variant, only_path: true)
end
This returns the path in the following format:
/rails/active_storage/representations/...../file_name.png
This works all fine when I use this path inside the application, but I want to send this image in email, there the image breaks as the src attribute can not read this path. If I append http://localhost:3000 manually in the email through dev tools, I am able to see the image then.
Weirldy, in the email, I also see the path appended with http by itself like below:
http:/rails/active_storage/representations/...../file_name.png
I did a workaround and gave only_path to false. This way I was able to get back the complete URL but in the email I got duplicate http written somehow.
Desired Result:
Either the email also appends the host_url along the protocol or removes the http also so that I am able to pass the complete valid URL.
If there is a way to alter the api and somehow get the s3 endpoint directly that would really really work but I am not sure how to do so. It would return the url like this: //{bucketName}/uploads/file/id/image.jpeg
Any help please!
Using the Microsoft Graph API it is possible to create Azure Applications using the applications end point.
https://learn.microsoft.com/en-us/graph/api/application-post-applications?view=graph-rest-1.0&tabs=http
An application has a logo and when you add it through the Azure Portal then the info/logoUrl property has a value. How do you set the logo through the graph? I've tried setting it to a url and there is no error, but the value does not get set.
Microsoft Graph API v1.0 now supports uploading logos, although I was unable to find this particular endpoint in their documentation but this may be because the v1.0 API is only a couple of weeks old at time of writing.
Request:
Content-Type: image/png
PUT https://graph.microsoft.com/v1.0/applications/<object-id>/logo
<binary content>
In Postman, you can set binary body content by going to Body and then clicking binary from the radio buttons. Make sure you set the Content-Type header accordingly, e.g. image/png for a .png file
You will receive a 204 No Content empty response on success, it appears to take effect immediately in the Azure Portal when viewing the App Registration.
As mentioned in another reply, the info/logoUrl is Read-only in Microsoft Graph, we could not set it directly, also per my test, even the request returns 204, it will not take effect.
My workaround is to use the Azure AD Graph API, you could try the request below in the postman, it works on my side.
Request URL:
PUT https://graph.windows.net/<tenant-id>/applications/<object-id>/mainLogo?api-version=1.6
In the postman, Authorization -> Bearer token -> fill your token, in the Body, select binary -> Select file, then Send.
Note: Your picture could not be large, otherwise you will get a The stream write request would result in an excessive number of bytes being written error.
Check in the portal:
Besides, if you just want to set the logo Programmatically, you could use the powershell Set-AzureADApplicationLogo, it is the easiest way I can find.
Set-AzureADApplicationLogo -ObjectId <object-id> -FilePath C:\Users\joyw\Desktop\pic1.jpg
I'm afraid we can't modify the logo through the Microsoft Graph API.
The info/logoUrl is read-only based on informationalUrl resource type.
I have encountered a problem where I need to cache image urls in browser after first load so that on every refresh same files are not fetched again and instead they are obtained from browser cache. The blocker here is that s3 signed url contains 'date' and 'signature' parameters which change on every request and hence I cannot cache it. Is there some workaround to this?
Sample urls :
https://bucket.region-name.amazonaws.com/67/13/14/design1.png_1547473003445/V0/thumbnail/design1.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIATY536SGM6CWFJ%2F20190116%2Fap-south-1%2Fs3%2Faws4_request&X-Amz-Date=20190116T093449Z&X-Amz-Expires=900&X-Amz-Security-Token=FQoGZXIvYXdz%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaDOQ2d%2FbrCADhrzi5LSKsAVrViSpTmyeTwlv8mgStqYJquyL2u4i3zqSOAFRE8fbHy7EbxH5yAmmWM94clRMm9to9LJDaxP96tAM4Za%2BFSzfr3fBTpHy%2Fq8N8fMT4%2FLv3Q5oX1k%2Fj9meYHpcH539LOLu8LmRuXGrPlbuHb7l4z7ZAWFB5MvootGvp0pfcEh6BqXr9R0iygJq3LWwoBhr5A9dRqSsLfWx9KTRTFi9KBkI%2FYtZCjEejdaVsExooufX74QU%3D&X-Amz-Signature=314c2ab2be7db4a90a3b20a79e2b53e8b915ca612ad3c6794136a4dac0fe6119&X-Amz-SignedHeaders=host
refereshed one :
https://bucket.region-name.amazonaws.com/67/13/14/design1.png_1547473003445/V0/thumbnail/design1.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIA536UOMZINFU%2F20190116%2Fap-south-1%2Fs3%2Faws4_request&X-Amz-Date=20190116T093659Z&X-Amz-Expires=900&X-Amz-Security-Token=FQoGZXIvYXdz%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaDF4rMeLkeIEnbQWu6CKsAWTaVEcUia6oXeuaDObUF5Cirhzko1le9KGQfPKs5ZIwWk6o0qzHIzCe9uYdfBSmanXrfDxRHK33zbccphSwQkPI8mp%2Fl%2FGljXZALFDKZdRny4DnF2MXfy5WiFKBVSYHZ5onNZxSA4VrgNHeYbe6drI6QwMR9cHij13D8RK2XYDlmM6oVaCjGdMgL4QdpdHangaV0ZEq2GfOAYFfIps9nCM0WCH3Z3%2BpJFVfF9kouvb74QU%3D&X-Amz-Signature=5c5dead27c779299f5aef84e60e7c88a13f4cada9baa77e74e62b51caa1c0099&X-Amz-SignedHeaders=host
The presigned URLs are used to give temporal permissons to a URL in a private bucket, you could opt for a public bucket or and an Authentication endpoint to the API.
I'm creating a dating React web app where users can upload pictures of themselves to their user profile. I want to use Firebase storage. I want to protect the images so that they are only viewable when accessing from my web app by authenticated users - right now I get an image like this:
let storageRef = firebase.storage().ref(`images/${userid}/${userImageName}`);
// Get the download URL
storageRef.getDownloadURL().then(function(url) {
// Insert url into an <img> tag to "download"
})
This is great - but once I put the URL in the src attribute in the image tag anyone who views the source code can copy the URL and send it via email, text message, etc., making it "public". I have tried uploading images in base64 string using the putString() function also only for Firebase storage to yet again create a URL for it like a normal image upload when using the put() function.
So my question is - can I use Firebase Storage to store images and make them "private" so that only authenticated users of my web app are able to view them? Is there a way to get only the image data and use that to generate the images in the frontend/client so that no actual URLs are ever placed in the JS code?
The call to getDownloadURL() is protected by Security Rules, which means that if you write a rule like:
service firebase.storage {
match /b/{bucket}/o {
match /images/{userId}/{userImageName} {
// any authenticated user can read the bytes or get a download URL
allow read: if request.auth != null;
// only the given user can upload their photo
allow write: if request.auth.uid == userId;
}
}
}
They will not allow unauthenticated people to download URLs.
As for the second issue: once someone can see a file, assume that they have already downloaded/screenshotted it and can share it, even if the URL isn't publicly accessible (or even on the page). Viewing something is equivalent to downloading it, so there's really no difference where it's coming from as the end result can be the same.
I have an angularJS application whose authentication system is made with an access_token and communicating with a backend server written in Go
Therefore to authenticate the user, I have to add the access_token to each request ?access_token=SomeTokenHere or via a header Access-Token: SomeTokenHere
It works great.
The issue is that my backend serves protected images, and I cannot put the access token in the image src for some security reasons(If the user copy/paste the link to someone else, the access_token would be given too ...)
What I'd like to do is to inject a header containing my access token, but since the request is made from the browser it doesn't possible.
This could probably be possible with a cookie, but I'd to avoid using a cookie especially because the angularApp and the backend are not on the same sub-domain.
Another idea would be to create a directive that would get the raw data, and set the data to the image. First I don't know if this is possible and is it a good idea for hundreds of images in the webpage ?
If you have any idea, I'd be glad to hear from you !
Thanks
It is typical problem, and fortunately it was already solved - for example on Amazon S3.
Solution idea is simple: instead of directly using secret key - you can generate signature with access policy, using that key.
There is good algorithm designed especially to generate signatures for this purpose - HMAC
You can have one secret key on your server and use it to sign every image URL before it would be sent to client, also you can add some additional policies like url expiration time...