Firebase Storage : How to overcome custom claims limits (1000 bytes)

Question

I already using custom_claims to manage group access on Firebase storage. But, it has a hard limit fixed at 1000 bytes.

In my app, an user can join N groups. Today I'm putting user joined groups in the user's custom claims. Each groupId is a Firestore generated key (~20bytes par key). So user will be limited to 50 groups (if I only count key in claims..) !

I want to be able to create as many relations as needed (between users and groups) but since rules from Storage cannot access Firestore database, what's the best approach to overcome this limitation ?

I thought about creating an API endpoint on cloud functions which will return the file (or direct link) instead of letting the client (mobile) getting the file directly from the Storage. Is it the only viable solution ?

Thanks

Answer 1

If you cannot express the logic used to protect content in security rules, then your only option is to disallow direct client access, and route clients through some endpoint whose logic you can control. This can be Cloud Functions or some other backend.

Bear in mind that:

1. The maximum size of the response payload for Cloud Functions is 10MB, so if an object can be bigger than that, then you'll need a different backend.
2. Exposing a link to the object doesn't restrict that link from being shared with others who might not have access. You'll need some additional way of making sure that link only works for the person who requested it, perhaps by making it work for only a certain amount of time.