When uploading a file to Firebase Storage using the uploadBytes function from the Firebase client SDK, it automatically generates a download token and includes it in the response. Even though I have set strict rules to prevent public read access, the presence of this token seems to compromise the security of the uploaded file. Here are the details:
I have a simple form that allows users to upload a file, which is then stored in Firebase Storage. My Firebase Storage rules are configured as follows:
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read: if false;
allow write: if request.resource.contentType.matches('application/pdf') && request.resource.size < 10 * 1024 * 1024
}
}
}
These rules prevent public read access but allow uploading PDF files smaller than 10 MB.
When I use the uploadBytes function from the Firebase client SDK to upload a file, the response in the browser console's network tab includes a downloadTokens property with a token value, like this:
{
"name": "sample/sample.pdf",
"bucket": "test-12345.appspot.com",
"generation": "1715231448324075",
"metageneration": "1",
"contentType": "application/pdf",
"timeCreated": "2024-05-09T05:10:48.325Z",
"updated": "2024-05-09T05:10:48.325Z",
"storageClass": "STANDARD",
"size": "3375",
"md5Hash": "vd9mAXeW3724WRQ2sqSkRQ==",
"contentEncoding": "identity",
"contentDisposition": "inline; filename*=utf-8''sample.pdf",
"crc32c": "Wn3FaQ==",
"etag": "COuvvYnn/4UDEAE=",
"downloadTokens": "767eb459-bae2-41ed-9bb3-cf2cad0d71a4"
}
My concern is that a malicious user could potentially guess the public download URL for the file using the information in this response, thereby compromising the file's security.
I cannot use server-side uploading as a workaround because I am using Next.js API routes hosted on Vercel, which has payload limitations that prevent me from performing the upload task on the server-side.
Question: Is this behavior of automatically generating download tokens a security concern, or is it the default and intended behavior of Firebase Storage? If it is a security concern, is there a way to prevent or mitigate this issue without using server-side uploading?
Please let me know if I can provide any additional information or clarify my question further. Thanks in advance.
a malicious user could potentially guess the public download URL for the file using the information in this response
This is extremely unlikely. The URLs are generated and designed to be unguessable. It's up to you to make sure that users understand that they should not be shared with anyone else who should not be able to download the content.
Is this behavior of automatically generating download tokens a security concern?
It's up to you to determine what to do with any generated tokens. They are not inherently a security problem unless you make a bad decision about them.
Is it the default and intended behavior of Firebase Storage?
Yes, it's by design.
Is there a way to prevent or mitigate this issue without using server-side uploading?
Again, it's your responsibility to handle the URLs as your security policy dictates. Firebase cannot help you make good security decisions - it can only provide infrastructure.
If Firebase can't meet your specific security requirements for whatever reason, you might want to look into alternatives that do. But as long as you're allowing client applications to directly upload and download content, it's your responsibility to make sure the client is doing the right thing and the security rules are configured correctly for your case.