How to prevent external users to view images from firebase storage

Question

We have built an application where there is a provision to upload image using AngulrFirestore and file gets saved in Firebase storage. At the time of uploading the file we are getting DownloadURL and we are saving it in firestore document for respective object.

There is another screen in application where that uploaded image gets displayed as logo for that object. What we found is, if there is any technical user then they can enter into debug mode where they can find complete image path from the Network and open it directly even after they are logged out of the application.

We tried implementing storage rules but because the url we had got using DownloadURL has accesstoken in it, anyone can directly open the image anytime even without accessing our webapp.

We have a strict requirement of not letting anyone access the images outside web application.

I am hoping for getting some solution for the problem we are facing. We went through many threads on stakcoverflow but no concrete solution is found.

Appreciate any help.

Answer 1

DownloadURL is a persistent URL. Anyone has it can access the image. You can revoke the token from the dashboard or admin sdk but that will break how you display your images in your web app. Firebase Storage rules allow you to restrict who can request the downloadURL. You can probably implement more secure downloads with the admin sdk. However, a user can always take a screenshot of that image and share it with various ways.

So at some point you need to trust your user who has the access permissions. This is how it works on most applications. For examle you can get the url of an image from a private Instagram account(assuming you are following) and anyone possessing that URL can now access the image.