I have a function that will upload the image to Firebase storage, then fetch that image url from Firebase to display to user on my app. If I take that url and paste in on an anonymous browser, I still can access and see that image despite I set authentication require to read data. Does anyone know what the problem? Here is my storage rule
service firebase.storage {match /b/{bucket}/o {match /{allPaths=**} {allow read, write: if request.auth != null;}}}
The download URL of a file in Cloud Storage by-passes the security rules and provides public read-only access to that file.
Firebase security rules can only restrict users from getting the download URL of an object at first place and do not prevent them from accessing the file if they get the download URL from any other user.
Try using getBytes() instead.