Add support for GCS FileData in inference

[dlarocque]

This chain of branches is getting a bit messy- I'm just putting this PR out so it can be reviewed :)

This PR follows #8216, and uses Firebase Authorization tokens to allow users to pass URLs in generateContent to GS resources that are secured by Firebase Security Rules.

This currently works against the production backend. I live tested in a React application configured with Firebase auth, storage, and vertexai.

Live tested using the following:

const firebaseConfig = { /* OMITTED */ };
const app = initializeApp(firebaseConfig);
const auth = getAuth(app);
const vertex = getVertexAI(app);
const model = getGenerativeModel(vertex, { model: 'gemini-1.5-pro-preview-0409'});
const storage = getStorage(app)

async function run() {
  await signInWithEmailAndPassword(auth, "username@gmail.com", "password")
  const catRef = ref(storage, 'public/cat.jpeg')
  const googleStorageURL = catRef.toString();

  await model.generateContent({
    contents: [
        {
          role: "user",
          parts: [
            { text: "What is this?" },
            {
              fileData: {
                mimeType: 'image/jpeg', // Note: getMetadata(catRef) could be a convenient way to get the mimeType
                fileUri: googleStorageURL 
              }
            },
          ],
        },
    ],
  });
} 

Storage rules:

rules_version = '2';

service firebase.storage {
  match /b/{bucket}/o {
    match /public/{allPaths=**} {
      allow read: if true;
      allow write: if false;
    }
    match /images/{allPaths=**} {
      allow read: if request.auth != null;
      allow write: if false;
    }
    match /user/{userId}/{allPaths=**} {
      allow read: if request.auth != null && request.auth.uid == userId;
      allow write: if false;
    }
  }
}

Test cases:

1. A signed in client provides a GS URL they have permission to read: Success
2. A signed in client provides a GS URL they don't have permission to read: 403 Permission Denied
3. A client that is not signed in provides a GS URL they have permission to read: Success
4. A client that is not signed in provides a GS URL that they don't have permission to read: 403 Permission Denied

Sample request payload:

{
  "generationConfig": {},
  "safetySettings": [],
  "contents": [
    {
      "role": "user",
      "parts": [
        {
          "text": "What is this?"
        },
        {
          "fileData": {
            "mimeType": "image/jpeg",
            "fileUri": "gs://<project>.appspot.com/public/cat.jpeg"
          }
        }
      ]
    }
  ]
}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 2c1c31b

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[google-oss-bot]

Size Report ¹

Affected Products

No changes between base commit (070e0cc) and merge commit (62d5047).

Test Logs

• Base (070e0cc): https://github.com/firebase/firebase-js-sdk/actions/runs/8974454876
• Merge (62d5047): https://github.com/firebase/firebase-js-sdk/actions/runs/8974504080

1. https://storage.googleapis.com/firebase-sdk-metric-reports/otqT7Wznm3.html

[google-oss-bot]

Size Analysis Report ¹

Affected Products

No changes between base commit (070e0cc) and merge commit (62d5047).

Test Logs

• Base (070e0cc): https://github.com/firebase/firebase-js-sdk/actions/runs/8974454876
• Merge (62d5047): https://github.com/firebase/firebase-js-sdk/actions/runs/8974504080

1. https://storage.googleapis.com/firebase-sdk-metric-reports/rAKAVBjsXi.html

[hsubox76]

Looks good minus the stray yarn.lock change. I guess the design for now is to send the auth token on every request though it's only needed on requests that send fileData? I guess this is in anticipation of more auth gating in the future. We can discuss it further offline.