0

I use the firebase JS sdk to upload audio files to firebase-storage. When this happens I need to process it based on the authenticated user doing the uploading (I upload it somewhere else for processing). This means I need to have access to the uid after it has been validated by storage rules, to keep it safe.

While researching this I found workarounds such as using the metadata to send the user's ID token but in my opinion this is a bad idea as it's possible to abuse.

I found this question which is pretty much exactly my question as well. The question I linked is now over a year old, so I thought it's worth asking again.

The primary reason I think that, is because of storage rules, which do have access to the uid (https://firebase.google.com/docs/storage/security/user-security). If I can use the uid there to allow/disallow access I assume it's also possible to access the uid in my onFinalize trigger. I just can't seem to find how.

Wesley Overdijk
  • 1,176
  • 10
  • 18

1 Answers1

5

Cloud Storage events do not retain user context; however, you don't necessarily need to send the whole ID token to be able to verify the user when used in conjunction with rules. You could instead set a uid metadata item:

ref.updateMetadata({customMetadata: {uid: currentUser.uid}});

and check it in rules:

match /files/{fileName} {
  allow update: if resource.metadata.uid == request.auth.uid;
}

This way, the UID is guaranteed to match the user's and you can access it from the function.

Michael Bleigh
  • 25,334
  • 2
  • 79
  • 85