Firebase Storage read security rules don't seem to be having any effect

Question

I'm working to set my security rules for my Firebase Storage and the read rules do not seem to be having any effect whatsoever.

rules_version = '2';
service firebase.storage {
match /b/{bucket}/o {
    match /{allPaths=**} {
      allow read, write: if request.auth != null;

    }
  }
}

I can take any imgURL that I have stored and paste it into my browser, and it pulls the image right up. I logged out of the firebase account and also out of Xcode thinking that maybe

Even if I remove the 'read' from the code above and only specify the write permission, it still allows a read if I paste an URL from one of the files into my browser.

It's like my folder is set to an open read or something.

Frank van Puffelen Frank van Puffelen · Accepted Answer · 2021-01-16T04:46:09

If the imgURL you are talking about is a so-called download URL, then this is the expected behavior. Firebase's download URLs provide public, read-only access to the file, bypassing the security rules.

If you want to only allow secured access to the data, you should not generate a download URL and only access the file through the other SDK download methods.

Firebase Storage read security rules don't seem to be having any effect

1 Answers