A simple client-side photo sharing site.
The security model of this simple photo sharing app is predicated on having locations being unguessable. We construct paths into Firebase using a hash of the file being uploaded. Then, anyone that has access to the share-able link can then lookup the location in Firebase and view its contents.
A simple rule set is required to make sure none of the keys are enumerable from Firebase. This prevents retrieval of the keys from any of the Firebase clients, including REST endpoints. We also add a write rule to the photos so that once the data has been written, no one can override or delete data that already exists. The rules for this application are in rules.json.
- Add a chat/comment system to each photo.
- Support logging in with Facebook/Twitter to manage photos: edits, removals, etc.
- Add metadata to indicate public/private photos.
- Add a realtime feed of newly uploaded photos.
MIT, except sha256.js.
sha256.js is part of CryptoJS which is distributed under the terms of this license (BSD 3-clause).