Generating download URLs for storage

Question

I have a few questions regarding firebase storage?

I am generating download URLs for firebase storage objects using and admin account (has custom claims) and storing the URL on Firestore.

Users can read the Firestore document to get the URL instead of having to call getDownloadUrl on the client side code.

Q1) I noticed there is a token at the end of the storage URLs. Is this specific to my admin account and is it safe that none admin users can now read this token?

Q2) Furthermore if a non admin user called getDownloadUrl on the same storage path would they receive the same URL as the admin account or a different one?

Q3) If I switch to using getDownloadUrl on the client side would this increase my cost when using firebase storage?

Q4) If i am caching the content by URL and the URL changes it will redownload and not use cache.. Are these download links unique or can getDownloadURL return different URLs on subsequent calls?

Thanks a lot

Edit ---

Sorry I have an additional question

Q5)To move files on firebase storage I currently download them to my local pc and reupload them to another location -- seems very inefficient.

I have seem people using file.move() (as can be seen here.)

Would this be possible to call in a firebase function (as they talk storage rules being an issue in the comments, although its from 2016) and if so how would this be cheaper than my manual download and upload?

Sorry for many questions :)

Answer 1

Q1) I noticed there is a token at the end of the storage URLs. Is this specific to my admin account and is it safe that none admin users can now read this token?

This token is a a random ID generated for this specific file. It won't change, unless you change it intentionally (you can "revoke" the token from the Firebase Console, which will replace it with a new token). Everyone who possesses the URL can view the file whether they are authenticated or not. However, the URL is "hard to guess", so unless you share it with anyone, it will stay secret, practically speaking.

Q2) Furthermore if a non admin user called getDownloadUrl on the same storage path would they receive the same URL as the admin account or a different one?

The returned URL will always be the same, unless you invalidate it in the Firebase Console. If you don't want clients to call getDownloadURL on the files, add a Storage Security Rule that denies reads:

match /path/to/{file} {
  allow read: if false;

  // Or, if only authed users should be able to call getDownloadURL:
  allow read: if request.auth != null;
}

Q3) If I switch to using getDownloadUrl on the client side would this increase my cost when using firebase storage?

A call to getDownloadUrl() does utilize some Google Cloud resources that you will have to pay for, whether you do it server-side or client-side. It's a "Class B" operation (check Google Cloud pricing), and a bit of data transfer.

Q4) If i am caching the content by URL and the URL changes it will redownload and not use cache.. Are these download links unique or can getDownloadURL return different URLs on subsequent calls?

The same URL is return each time, unless you manually invalidate the token. (By the way, the caching policy that sets the Cache-Control header is set on the object as metadata when you upload it.)

Q5) To move files on firebase storage I currently download them to my local pc and reupload them to another location -- seems very inefficient. [..] Would this be possible to call in a firebase function

Yes, you can move files in a Firebase Cloud Function. The Firebase Admin SDKs bypasses security rules.

Answer 2

1) I noticed there is a token at the end of the storage URLs. Is this specific to my admin account and is it safe that none admin users can now read this token?

Depends on what you have at the moment since you can integrate Custom Authentication with Firebase which will allow you to create custom tokens that can be used to sign into the Firebase Authentication service on a client application and assume the identity described by the token’s claim. This can be used when accessing other Firebase services, such as Cloud Storage, etc. In general your server should create a custom token with a unique identifier.

2) Furthermore if a non admin user called getDownloadUrl on the same storage path would they receive the same URL as the admin account or a different one?

Depends on how you are setting the permissions for the getDownloadUrl. If you have a customized one they can receive a different one but usually it returns a new instance that points to the current reference.

3) If I switch to using getDownloadUrl on the client side would this increase my cost when using firebase storage?

I am not sure about this, I have checked the documentation and there is nothing that would indicate a quota or pricing on this specific method so I would go ahead and assume that it would not do it but I might be wrong on this one.

4) If i am caching the content by URL and the URL changes it will redownload and not use cache.. Are these download links unique or can getDownloadURL return different URLs on subsequent calls?

As specified before, it returns a new instance that points to the current reference so these download links are unique.

5) To move files on firebase storage I currently download them to my local pc and reupload them to another location -- seems very inefficient.

For this question and the last part of your initial post I would suggest you to create a support ticket and ask more details to the Firebase Support Team where you can get more information regarding this since it is more suited for them than to StackOverflow. (https://firebase.google.com/support)