Firebase Storage - how to authorize file download?

Question

When using Firebase Storage, you set security rules for authorization to get the url of a file, for example using getDownloadURL(). But, once a user has that URL, what's stopping hackers from crowd-sourcing the URL?

I know in Google Cloud Storage, you can use signed urls, which is time limited (still not doing real authorization). But I don't see any mention of a getSignedURL in the Firebase Storage documentation. I've seen it on articles about Firebase Storage but never in Firebase's documentation directly.

As far as I can tell, there's no way to do real user authorization for accessing Firebase Storage files. Please tell me I'm wrong.

Frank van Puffelen · Accepted Answer · 2023-07-10T14:42:59.927

2

But, once a user has that URL, what's stopping hackers from crowd-sourcing the URL?

Nothing. In fact, that's precisely the point of a download URL: it gives anyone who has the URL read-only access to the data.

If you want to only grant specific users access to the file, don't generate a download URL but instead use the SDK to access the data, and use security rules to control that access.

Since you clarified that you're asking about web apps: until late 2021 in the JavaScript/Web SDK using a download URL is the only way to get at the data. Since JavaScript SDK version 9,5, the JavaScript SDKs also have getBlock(), getBytes() and getStream() methods, which are enforced through security rules.

edited Jul 10 '23 at 14:42

answered Jun 18 '21 at 02:48

Frank van Puffelen

565,676
79
828
807

Hi Puf, thanks for answering this. Okay great, I won't generate a download URL. However, I don't see in the documentation any other ways to access the files. https://firebase.google.com/docs/storage/web/download-files – Marcus Gallegos Jun 18 '21 at 19:52
1

Ah, I didn't realize you were asking for a web app. There indeed a download URL is the only way to get at the data, while for the native mobile SDKs we also have `getData()` and `getFile()` methods. I know adding such methods for web clients was considered, so it might be worth [filing a feature request](https://firebase.google.com/support/contact/bugs-features/). Until that time, if signed URLs fit your needs better, you can use those. Both signed URLs and download URLs are just URLs that provide read-only access to the data. Signed URLs just expire, while download URLs don't. – Frank van Puffelen Jun 18 '21 at 19:59
Thank you, I made a feature request and suggested this caveat be noted in the documentation. Thanks again! – Marcus Gallegos Jun 18 '21 at 20:20
Hey @MarcusGallegos Anything else needed here? – Frank van Puffelen Jul 02 '21 at 22:27
1

Update: Firebase Javscript SDK version 9.5 (November 18, 2021) added `getBlob` `getBytes` `getStream` https://firebase.google.com/docs/storage/web/download-files#download_data_directly_from_the_sdk https://firebase.google.com/support/release-notes/js#version_950_-_november_18_2021 – Anis Abboud Jul 10 '23 at 13:21
1

Good point @AnisAbboud! I updated my answer with that info and those methods. – Frank van Puffelen Jul 10 '23 at 14:41

score 0 · Answer 2 · answered Jun 18 '21 at 20:23

0

As noted in the above comments, the web library does not contain any method to access the document with the security rules. If they add this feature, I'll update this answer!

answered Jun 18 '21 at 20:23

Marcus Gallegos

1,532
1
16
31

Firebase Storage - how to authorize file download?

2 Answers2

Linked