I use flutter with firebase to save my images, and I use my app as an authenticated firebase user.
Rules first use case:
rules_version = '2';
firebase.storage service {
match / b / {bucket} / o {
match / {allPaths = **} {
allow read, write: if true;
}
}
}
Here, to display the images I can use the download url of the photos using:await ref.getDownloadURL ();
example:
https://firebasestorage.googleapis.com/v0/b/project_name/o/images%2Fimage_name.jpg?alt=media&token=TOKEN
But also I can use the direct url of the photo (without token) and it works perfectly.
example:
https://firebasestorage.googleapis.com/v0/b/project_name/o/images%2Fimage_name.jpg?alt=media
Rules second use case:
rules_version = '2';
firebase.storage service {
match / b / {bucket} / o {
match / {allPaths = **} {
allow read, write: if request.auth! = null;
}
}
}
here I can use await ref.getDownloadURL ();
but i can't use the image url (hard coded)
My question :
why we use the rules of firebase storage (if request.auth! = null;) if the ref.getDownloadURL () is accessible even in a private browser and it does not require an authenticated user, however the url of the image (without token) is not accessible even if you are a firebase authenticated user?
