Firebase Storage never fully private?

4
votes

I have set rules for our Firebase Storage to only allow authenticated users to interact with it.

rules_version = '2';

service firebase.storage {
  match /b/{bucket}/o {
    match /something/{allPaths=**} {
      allow read, write: if request.auth.uid != null;
    }
  }
}

However, when I browse the details of the assets saved in the storage in the Firebase Console, I do find for each of these, a link to open these publicly (when I open the details of a file), for example:

https://firebasestorage.googleapis.com/v0/b/${my-project}.appspot.com/o/${my-file}?alt=media&token=49385ae5-4df6-44ef-a313-8d1f07b59111

My guess is that this link is the downloadURL and the public access is granted through the token.

Therefore I understand that the storage content is actually not fully private because even if I set strong rules and even if I personally and my apps don't generate download URL, Firebase still generate automatically such url for each file and therefore, even if token are hard to find, the content is in any case accessible online publicly.

Is my understanding correct?

Or the link I found in thee Firebase console isn't the download url but a temporary link respectively the token provided by the console as an expiration life?

Or is it possible to set the Firebase Storage Bucket to not generate any download links ever?

1
firebasefirebase-authenticationgoogle-cloud-storagefirebase-storagefirebase-security

1 Answers

7
votes

Anyone who has a downlaod URL with a valid token can access the content from anywhere. However, if you never expose that URL to anyone, it's essentially impossible for anyone to guess that URL, even if they know the path. The token is random and contains a tremendous amount of entropy.

If you're concerned about anyone guessing this URL with the correct token, you should also be concerned about two random atoms in the universe colliding with each other. (That's a slight exaggeration, but you can do the math if you assume that each character of a token is a valid hex digit.)

If you're still paranoid, and you don't want to generate any download URL at all, you will have to manually revoke the download URL tokens, and use an upload technique that doesn't also create a download URL, and never call getDownloadUrl on any file from a client app.