1
votes

Let's imagine I am trying to host two static files using Firestore Storage:

  1. index.html
  2. secret.html

I have set up a CNAME record on CloudFlare to point my custom domain to "c.storage.googleapis.com" and I have also verified the domain on Google Cloud. Following this guide: https://stackoverflow.com/a/56697604/7871178

The bucket created with Firestore Storage has the same name as my domain and the bucket permission has been set to "allUsers" with the role "Storage Legacy Object Reader". I am able to access both files: index.html and secret.html without any form of authentication (due to the bucket permissions I have setup).

How would I make the contents of index.html public for all users, but secret.html restricted to the Firebase Storage Security rules (for example only Firebase authenticated users)?

Is this even possible with my current setup, is it all files public or nothing public at all?

1
I still have to confirm it but if someone has the full bucket URL to the resource he would be able to access to both resources (due to the allUsers permission), however if you go through the domain you should be able to restrict the access with the firebase security rulesEmmanuel

1 Answers

0
votes

Once that you have setup up your domain, in order to restrict your files you can make use of the Firebase Storage security rules to secure your assets. For example the next rule will allow your index.html to be readed by everyone and your secret.html to restricted just to authenticated users:

rules_version = '2';
service firebase.storage {
  match /b/{bucket}/o {
    match /index.html {
      allow read: if true;
    }
    match /secret.html {
        allow read: if request.auth != null;
    }
  }
}

Just please be aware that since your bucket is public, due to the Storage Legacy Object Reader permissions,if a user somehow has the full bucket URL he will be able to access your assets directly, for example using the next url:

https://storage.googleapis.com/project.appspot.com/index.html #this will readable https://storage.googleapis.com/project.appspot.com/secret.html #this also will be readable