Firebase Storage security rules: After specifying “allow read: if request.auth != null” I can still access my files using the download link provided

Question

My firebase storage rules are

service firebase.storage {
    match /{allPaths=**} {
      allow read: if request.auth != null;
  }
}

I am logged out of google and in a chrome browser (incognito mode) and I enter the url I got from firebase.storage (the download url link). I can still download the file. How do I secure the files to only allow downloads if the user has been authenticated by firebase.authentication?

My files are in the root firebase.storage location.

I have also tried

service firebase.storage {
  match /b/{bucket}/o {
    match /{allPaths=**} {
      allow read: if request.auth != null;
}
}
}

There is a revoke download url url in firebase.storage but it doesn't seem to do anything at all.

Bob Snyder Bob Snyder · Accepted Answer · 2018-03-29T00:38:50

The download URL is public-access and intended for sharing the file to applications outside of Firebase. Firebase security rules do not control access to a storage object via a download URL. You can revoke a download URL using the Firebase Console.

See also this answer from a Firebase team member to a related question. He notes:

Using a download URL is the appropriate way to share files outside of an application, or to users who don't need to be logged in.

Firebase Storage security rules: After specifying “allow read: if request.auth != null” I can still access my files using the download link provided

1 Answers