Why are my firebase storage security rules are not enforcing and letting users upload images over the limit?
I have setup my storage security rules to only allow authenticated users to post images that are less than 3mb with the following rule:
rules_version = '2';
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
// Only allow uploads of any image file that's less than 3MB
allow write: if request.resource.size < 3 * 1024 * 1024
&& request.resource.contentType.matches('image/.*');
allow read, write: if request.auth != null;
}
}
}
However, I just tested from my client and I was able to upload a picture that is 14mb. I have given plenty of time for security rules to set.
How did I bypass this rule?
While the other answers provided you with security rules you could use, it’s also good to add that you can test your security rules using the Firebase rules playground. Using this tool, you can tell exactly the resolution of each of your rules when tested against an event (create, read, update, delete).
I tested your security rules and received this output:
As you can see, while your file size limit rule is working fine, the broader allow write: if request.auth != null; rule is still letting your request go through. This is what the other answers pointed out and what is included in the documentation:
If any of the “allow” rules for the method are satisfied, the request is allowed. Additionally, if a broader rule grants access, rules grant access and ignore any more granular rules that might limit access.