Firebase revoke token on download url

2
votes

When I simple "took" a images on firebase console it create me automatically a download url like https://firebasestorage.googleapis.com/XXX/YYY/XXX/name.jpg?alt=media&token=.

I wanna have my file super-secured, how I can remove this download url or revoke this token?

3
firebasefirebase-storagefirebase-admin

3 Answers

2
votes

The Firebase console provides a "revoke" option next to the download URL which can be used for this (look under the "File Location" tab). You should use Firebase rules to properly secure your assets, if object-level security is important to you: https://firebase.google.com/docs/storage/security/

2
votes

There's no way you can restrict that url (not even through security rules). It is always public but note that it is unguessable. There is also a revoke option through Firebase console just in case the URL leaks.

0
votes

As pointed by others you don't need to be concerned about this URL as in practice is very hard to guess. However you should not share it or use it as entry point to the application. Instead you should use the Signed URLs support provided by Google Cloud.