If I wanted to achieve the same result, that is to serve assets of others from my own domain, I'd just create a custom endpoint like /api/user-avatar/:userId and an action proxies the actual image from google, maybe keep a cached copy for some time to not have to redownload the image on every request.
This seems problematic to me. Beyond just caching issues, did you ever get permission from users to store their personal data? They gave google permission, but not you.
If I wanted to achieve the same result, that is to serve assets of others from my own domain, I'd just create a custom endpoint like /api/user-avatar/:userId and an action proxies the actual image from google, maybe keep a cached copy for some time to not have to redownload the image on every request.
This seems problematic to me. Beyond just caching issues, did you ever get permission from users to store their personal data? They gave google permission, but not you.
The users are going through an OAuth flow and creating an account. Presumably they are agreeing to a ToS as part of that.
It even says in the OAuth flow that the company is requesting your profile image.
Nice, but doesn't automatically update when the Google avatar changes. Cache invalidation strikes again.
I really didn't get what the post was about. I'm getting old or? And I thought I was clever because I work with distributed databases...
The post seems to be written by a developer that has never heard of caching and thinks they have invented some illicit solution by implementing it.
It makes very little sense - They don't want to ask users to trust Google's domain despite... integrating the user's google account? What?
And in what way is this stealing? Caching a publicly available asset? Sounds like you are save Google bandwidth/money.
The post assumes the reader is familiar with where things are happening and who is involved. Guess I'm not part of the target audience.
Loading an img tag doesn't involve trusting a domain. Especially using crossorigin and refererpolicy attributes.
Isn't this just passthrough caching with some persistence?
Irony: Claim you're stealing from Google, then post it on a .dev domain, of which Google is the operator.
<Furiously typing GDPR data request..>
Surely you could think of something better to work on