I have built an app that allows customers to purchase access to download files that are stored using Firebase Storage. When they make the purchase, the asset ID from Storage is linked to their user ID using Firebase Firestore. It looks like it is not possible to update the Firebase Storage server side security rules to use the Firestore record. However I have found that it is possible to add custom claims to the Firebase User or to update the image metadata in storage to include the user ID.
https://firebase.google.com/docs/auth/admin/custom-claims
https://firebase.google.com/docs/storage/web/file-metadata
Is either method (updating user custom arguments, or updating the storage asset metadata) a better method in terms of scaling up this app to check if the user can access the asset that they are trying to download using Firebase Storage server side security rules?
Thank you