Firebase storage url private access

Question

I am creating a flutter application in which users can post images to Firebase storage and storing download url in firestore and i want that when users want to private thier post there is some option to hide the image what if someone opened by code and get the url string. When user private their post it makes no sense hacker can or even anyone can see that image I know that user cannot revoke token by client flutter app I came across a solution that if a user private their profile I will download all the images and put it back in some private path and when user again it will do the same but this approach is taking a lot of time bandwidth and data upload. Is there any other option to change the url by client without doing too much download upload game (sorry for bad English)

Answer 1

There are two ways of downloading a file from Friebase Storage. With a Download URL or Signed URL. The first one will give an long lived URL with witch everyone that has the URL can download the File. The second one works the same way but it's not long lived but short lived.

To awoid giving someon access to your files who should not have it awoid saving the Download URLs but work with the Refs and setup your security rules that only those who should also can read the refs. Fron the refs you ca get the donwload URL. Don't save it anywhere and just use it when needed to download the file. You could make it more restrstricted with the signed URLs. You can read more about them here.

In flutter there is library that can help get the data without the downloadURL. More about it here.