I want to restrict access to Firebase Storage objects with storage rules and custom claims on authenticated users. Both cool features, good for scaling.
My problem however is:
The Firebase Storage download link allows public access, no matter the rules.
My download link given by getDownloadURL() is: https://firebasestorage.googleapis.com/v0/b/***myappname***.appspot.com/o/logos%2F1618740110634.png?alt=media&token=bdf6a5c5-54a2-4211-aa40-85177a38210a
My rules are:
match /{allPaths=**} {
allow read, write: if false;
}
What link then should I use to restrict access to authenticated users only and for checking custom claims with for my admin (excel reports) files? I am very confused.
Have tried direct links, without the token at the end, the given storage location link. With the public link, anyone has access I don't want them to have.
Using Flutter mobile and web.
The getDownloadURL() always returns a public URL. Everyone who has it can access the file.
There are short lived signed token URLs but they are not supported on native device SDKs.
The downloadURL is very secure. If someon does not have it no one will get to your file. So the magic here is to not share it anywere and to get what you would like work only with references. Only if someone has access to your reference (according to the storage rules) he can generate the downloadURL.
I would recommend to work in your app only with those references and only get the downloadURL when you realy want to access the file in App or open it.
In the firebase storage rules you can then use auth and the customClaims to define who can access the file references.
Once a downloadURL is generated the firebase storage rules don't matter. The file will be accessible over that link.