Reading firebase storage image security rules

0
votes

I am using Firebase storage and firestore with flutter, I came across two options to retrieve Firebase storage image

  1. Setting Firebase storage image url in firestore database and then fetching it with network image

  2. Getting image url from Firebase storage directly

I don't know much about tokens. My security rules states that only auth users can read my Firebase storage but if I use first option my image url with token is stored in my firestore database using that url anyone can access my storage. I am not sure does Firebase refresh it's storage token automatically then if this is the case my app will experience crash. Which is the most secure and long lasting way or please answer if any other secure way to fetch images

1
firebaseflutterfirebase-storagefirebase-security
Can you tell what image is this? Can this be accessible by the owner only or anyone ?Dharmaraj
Only authenticated users can accessNoobdeveloper

1 Answers

1
votes

Firebase storage tokens won't expire unless you revoke them. The token may update if you overwrite the image i.e. update it. Now that's totally your call if you would like to make a separate request just to get the download URL or store the URL in realtime database when an image is uploaded and fetch it along with other data.

Security rules of Firebase Storage will prevent non-authenticated users from getting the download URL only. If an authenticated user shares the URL with anyone, they will be able to see the image as they have the URL with that random token now.

If the data you are fetching from realtime database requires the user to be logged in at first place, then I'd just store the URL in the database itself as I don't think it makes sense to make another request and have the same rules for Firebase storage. I don't know your exact use case so there may be exceptions for doing this.

If you don't need that image URL always then that might be waste of bandwidth, then you should consider making separate request to get the storage URLs.

service firebase.storage {
  match /b/{bucket}/o {
    match /{allPaths=**} {
      allow read, write: if request.auth != null;
    }
  }
}

These rules will allow any authenticated user to request the URL. But as I mentioned earlier, anyone with this link can access the file.