Firebase Storage Wildcard Rules with Custom tokens

1
votes

For some reason I can not get wildcards to work in a path with custom tokens. The user has the custom tokens assigned like admin: true and ySWLb8NSTj9sur6n2CbS: true

service firebase.storage {
  match /b/{bucket}/o {
        match /conferences/{confId}/sponsors/{sponsId=**} {
        allow read: if request.auth.uid != null
        allow write: if request.auth.token.confId == true
    }
  }
}

I am trying to write to /conferences/ySWLb8NSTj9sur6n2CbS/sponsors/whatever.jpeg from the client and got an access denied.

If I change now to the below it works without problems.

service firebase.storage {
  match /b/{bucket}/o {
        match /conferences/{confId}/sponsors/{sponsId=**} {
        allow read: if request.auth.uid != null
        allow write: if request.auth.token.admin == true
    }
  }
}

I have even tested it with changing the custom token to ySWLb8NSTj9sur6n2CbS: "ySWLb8NSTj9sur6n2CbS" and then trying the below without success and getting access denied!

service firebase.storage {
  match /b/{bucket}/o {
        match /conferences/{confId}/sponsors/{sponsId=**} {
        allow read: if request.auth.uid != null
        allow write: if request.auth.token.confId == confId
    }
  }
}

I have the feeling the wildcard is not picked up for some reason or am I overlooking something here? On the documentation I found this: https://firebase.google.com/docs/storage/security/user-security?authuser=0

1
firebasefirebase-storagefirebase-security

1 Answers

1
votes

So I figured out that the other way around it works for some odd reason. I have assigned to the user a custom claim in form of an array. In that array you have the confId. So I check if the relevant confId is in that array.

service firebase.storage {
  match /b/{bucket}/o {
        match /conferences {
        match /{confId}/sponsors/{sponsorId} {
        allow read: if confId in request.auth.token.userEvents
        allow write: if confId in request.auth.token.adminEvents
      }
    }
  }
}