Firebase private rule not working for storage

Question

I'm trying to allow users to upload files to the firebase backend, I am using this rule: (the storage is filled in on my end)

service firebase.storage {
  match /b/<storage>/o {
    match /{allPaths=**} {
        allow write, read: if false;
    }
  }
}

This is just so I can see if it will block users from accessing the files I have open. But if I go to the link, I can see the image just fine.

How come this rule is not blocking users from viewing it? Thanks.

Answer 1

There are two different ways to download files from Firebase Storage:

• Downloaded via methods like getFile() or writeToFile: on a Storage reference.
• Storing an HTTP URL that you got from getDownloadURL() or downloadURLWithCompletion:.

If you download via the first method, we check security rules before allowing the download. This is the secure method for ACLing files to a user or group of users.

If you download via the second method, those URLs are public, unguessable URLs so anyone can access them and are only protected by the unguessability of the token at the end of the URL. This method is great for sharing files with users outside of your application (image Google Photos, where you want to send a photo to someone in your family but don't want to make them download an app to do so).

It sounds like you're using the second method, which as mentioned, doesn't check security rules. If you want to make files you can delete the download token in the Firebase console, or just never share those URLs with anyone.