If downloading via URL, I can see that even unauthenticated users can download images stored in my Firebase storage instance, despite me having set restrictive rules for these. Is that intended?
The link above seems to suggest that in order to enforce storage security rules I will have to use other functions:
From version 9.5 and higher, the SDK provides these functions for direct download:
- getBlob()
- getBytes()
- getStream()
Using these functions, you can bypass downloading from a URL, and instead return data in your code. This allows for finer-grained access control via Firebase Security Rules.
Can someone confirm that this is the way to go to have my rules enforced?
A download URL provides public read-only access to the file and is indeed not affected by the security rules you set.
If you want to enforce the security rules, your users will have to download the file through the SDK instead of through download URLs.