Menu
Firebase docs suggest that obtaining a downloadable url (e.g. for streaming video in html <video> tag) is done by getDownloadURL(), on any storage reference. Thus, you can set security rules which will be applied for client requests via the SDK.
However, it seems that the downloadable URL received is publicly available to any client/device, with no authentication required.
Is there any way to enforce security authorization for such use case? I notice you can revoke the public URL manually in the console, but it's not a scalable solution, nor secure.
469
There are two ways to download a file from Firebase Storage:
gs://bucket/objecthttps://firebasestorage.googleapis.com/v0/b/bucket/o/object?token=<UUID>The former is an internal reference, and can be used to upload and download files via our SDKs. These are protected by Firebase Authentication and Firebase Storage Security rules. It is designed to be used by users of your application, while in the application.
The latter is an external reference, and can be used only to download files that have been shared, usually external to the application. Since the user who this has been shared with is outside of your application, there's no way they could authenticate, so authorization is less interesting.
The authorization we provide is "do they have a long unguessable token" that means someone authorized to share the file with them gave them permission to. This is commonly known as a "public, unguessable URL" or a "signed URL" due to the cryptographic signing that's often used to convey certain claims (like how long the URL is valid, what operations it's valid for, etc.).
We believe that there's little sense in making an "external" representation that can only be used by "internal" app users, though I'd be open to hearing your use cases if you disagree.
161
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
