firebase storage rule doesn't work

1
votes

I'm using the default storage rule:

match /{allPaths=**} {
  allow read, write: if request.auth != null;
}

or

match /{allPaths=**} {
  allow read: if request.auth != null;
  allow write: if request.auth != null;
}

But without login, download url still accessible. How to prevent it? https://firebasestorage.googleapis.com/v0/b/sunshine-b9c43.appspot.com/o/user_icon%2FcwL09fN6x5fnaYBTbEXAHJ3rgxV2_1473299432313.jpg?alt=media&token=042803b7-a4f0-4728-9041-81e6d4b3eb1d

2
firebasegoogle-apifirebase-storage

2 Answers

0
votes

When you upload your data to Firebase Storage, you will be provided with two 'links' to get to that data:

  1. The private link. This link is only going to be accessible internally by authenticated users/devices.
  2. The public link. This link will technically be readable by anyone with the link, however, the link is supposed to be highly un-guessable. The token at the end would be extremely hard to guess. If you remove this token and navigate to the link, you will see that the Firebase Server blocks your access.

If you are uncomfortable having that link still 'out there' for the world to see, you can revoke the link.

See in the picture below. I took a screenshot to show you the private 'gc//' link as well as the public 'http' link. See that little 'revoke' option? You can use that if you have specifically sensitive data that you do not want users to view.

enter image description here

Update: It seems that at the time of writing this there is no API call or build in Firebase flag/function for getting rid of that public link; the only way is to manually revoke them, one at a time, through the FB Console. (ref: https://groups.google.com/forum/#!topic/firebase-talk/aw86jf8b7PY) Mike Mcdonald also makes note of the fact that once the user has already seen the image, there is always the possibility that they downloaded or saved it anyways, so revoking the URL may or may not have any real security impact anyways.

Another option that comes to mind, however, is pulling the images to your server and hosting them from there using a temporary (one-time?) link to serve the image, keeping that public URL for your eyes only. This adds more work on the server end, but if you absolutely need the security, it might be an option you'll want to explore.

Hope this helps.