Static hosting Google Cloud Storage with Firebase security rules, custom domain and CloudFlare

Question

Let's imagine I am trying to host two static files using Firestore Storage:

1. index.html
2. secret.html

I have set up a CNAME record on CloudFlare to point my custom domain to "c.storage.googleapis.com" and I have also verified the domain on Google Cloud. Following this guide: https://stackoverflow.com/a/56697604/7871178

The bucket created with Firestore Storage has the same name as my domain and the bucket permission has been set to "allUsers" with the role "Storage Legacy Object Reader". I am able to access both files: index.html and secret.html without any form of authentication (due to the bucket permissions I have setup).

How would I make the contents of index.html public for all users, but secret.html restricted to the Firebase Storage Security rules (for example only Firebase authenticated users)?

Is this even possible with my current setup, is it all files public or nothing public at all?

Answer 1

Once that you have setup up your domain, in order to restrict your files you can make use of the Firebase Storage security rules to secure your assets. For example the next rule will allow your index.html to be readed by everyone and your secret.html to restricted just to authenticated users:

rules_version = '2';
service firebase.storage {
  match /b/{bucket}/o {
    match /index.html {
      allow read: if true;
    }
    match /secret.html {
        allow read: if request.auth != null;
    }
  }
}

Just please be aware that since your bucket is public, due to the Storage Legacy Object Reader permissions,if a user somehow has the full bucket URL he will be able to access your assets directly, for example using the next url:

https://storage.googleapis.com/project.appspot.com/index.html #this will readable https://storage.googleapis.com/project.appspot.com/secret.html #this also will be readable