Firebase Storage - how to authorize file download?

Question

When using Firebase Storage, you set security rules for authorization to get the url of a file, for example using getDownloadURL(). But, once a user has that URL, what's stopping hackers from crowd-sourcing the URL?

I know in Google Cloud Storage, you can use signed urls, which is time limited (still not doing real authorization). But I don't see any mention of a getSignedURL in the Firebase Storage documentation. I've seen it on articles about Firebase Storage but never in Firebase's documentation directly.

As far as I can tell, there's no way to do real user authorization for accessing Firebase Storage files. Please tell me I'm wrong.

Answer 1

But, once a user has that URL, what's stopping hackers from crowd-sourcing the URL?

Nothing. In fact, that's precisely the point of a download URL: it gives anyone who has the URL read-only access to the data.

If you want to only grant specific users access to the file, don't generate a download URL but instead use the SDK to access the data, and use security rules to control that access.

---

Since you clarified that you're asking about web apps: until late 2021 in the JavaScript/Web SDK using a download URL is the only way to get at the data. Since JavaScript SDK version 9,5, the JavaScript SDKs also have getBlock(), getBytes() and getStream() methods, which are enforced through security rules.

Answer 2

As noted in the above comments, the web library does not contain any method to access the document with the security rules. If they add this feature, I'll update this answer!