Security Concerns : Accessing Firebase Storage files with a public Url

0
votes

Firebase Storage allows access to files using an URL https://someUrl

You can restrict Firebase Storage access using security rules.

If you do, you need to pass a token along with the URL, to bypass those rules. Like so https://someUrl&token=someToken

However, you could also allow read access to everyone. In that case, https://someUrl would be enough to get the content.

How is this an issue regarding security ? I am wondering if a malicious user could find https://someUrl in any way ?

Thank you !

2
firebasesecurityfirebase-storagefirebase-security
Kind of agree with @Doug Stevenson . What is the point to have the token, if you cannot even reach the online storage? Can you be more clear?Chayne P. S.
@ChayneP.S. I'm using Flutter Cached network image (pub.dev/packages/cached_network_image) At first, i have access to the online storage. I give the URL to the cached network image. It gets the content and then based on that specific URL it gets the cached content. That's why i need the URL while being offline. It's my "path" to the cached contentSkR

2 Answers

0
votes

For caching reasons, I need to be able to retreive the URL while being offline.

It's not clear to me what your "caching reasons" are, but it's not supported to get a full download URL while offline. The API requires that the client app must be online.

How is this an issue regarding security?

The security issue is that the user needs to have read access granted by security rules to the object in order to get the download URL. Since security rules are evaluated on the backend, the user needs to be online in order for Storage to allow access to the URL. Obviously, if there is no internet access, the server can't be reached, and the rule is not accessible.

Since this URL is used in a mobile application, is there any way a user could find the URL?

Not while offline, no. Consider trying some way to pre-fetch the URL while online instead, and store that locally for later use while offline (which is kind of strange, because the URL also won't load any content while offline).

0
votes

According to this answer Understanding Firebase Storage tokens

Firebase storage token is changed if the object is changed. Therefore, you can retrieve the download URL and take it as a unique URL to retrieve the object in the particular version.

And to answer your question, because the token is randomized, there is no way the user can retrieve the object without knowing the token. And this is the same level of security as any other token-based credential, you have access to the object, if you know the url.