Cloud Storage resumable upload access token

0
votes

i am trying to build image uploader in vue js and i want it to be resumable upload and i am sending the request directly to cloud storage server from browser (not using php for example as a middle-ware to send upload request )

but the docs says i must have access token to get session url which i will use later to upload image , How To get this access token using JavaScript , google cloud doesn't have library for javascript but in node js which i can't use for browser usage

POST https://www.googleapis.com/upload/storage/v1/b/myBucket/o?uploadType=resumable HTTP/1.1 Authorization: Bearer [YOUR_AUTH_TOKEN]

from this page : https://cloud.google.com/storage/docs/json_api/v1/how-tos/resumable-upload

1
javascriptgoogle-cloud-platformgoogle-cloud-storage
Are you attempting to authenticate as yourself from a browser, or do you want to allow other users to act with your credentials to upload an object from a browser? - Brandon Yarbrough
yes i want other users to be able to upload images from thier browser to cloud storage bucket @BrandonYarbrough - wkasem2
You definitely do NOT want to do that by passing your access token to the client. Once a user has your access token, they can do anything with it until it expires. You'll either need them to use their own Google credentials (unusual, but makes sense for a tool to manage GCS buckets) or use some form of Signed URL. - Brandon Yarbrough
@BrandonYarbrough, could you make an answer from your last comment so it's clearer for people seeing this question? - LundinCast

1 Answers

1
votes

You definitely do NOT want to do that by passing your own access token to the client. Access tokens allow the holder to do anything within their scope until they expire. A malicious user who has your access token could cause almost unlimited problems.

You'll either need to have your customers use their own Google credentials (unusual, but makes sense for a third party tool for managing someone else's Google Cloud resources) or use some form of signed URL or similar feature.