I am currently develop an webapp based on firebase auth, firestore and storage where the user can upload theris files inside a buket and have them strictly private.
I have added rules to the storage like this:
rules_version = '2';
service firebase.storage {
match /b/{bucket}/o {
match /filearchive/{fileName} {
allow read: if request.auth != null;
allow write: if request.auth.uid + ".pdf" == fileName
}
}
}
And after user upload his files I track the uploaded with a firestore collection taht store the URLs obtained with the method:
.snapshot.ref.getDownloadURL().then(downloadURL => {
})
Everything work, but if I try to copy and share the link of an uploaded document they include his token inside querystring and become publicly accessible to everybody.
I know that i can revoke the file token but this can happen only after a leakage, it could be hard to identify (I don't know which tools to use) and for sure it consumes bandwidth/data from my plan if this file are exteranlly used.
Some one know what is the best practice and how can secure the uploaded file and make respected the rule "allow read: if request.auth != null; " ?
Regards
