1

Okay, I was using Flutter and Firebase to upload data into Cloud Storage. I gained the downloadURL which can be accessible on web if people know the URL. I had enabled Public Access Prevention in Google Cloud Storage Console based on this doc and chose Access Control Uniform for this on doc.

I also had added Security Rule in Firebase Cloud Storage, so only Users with certain custom token can use it. But, it seems useless as everyone can get its downloaded URL. My question is why is that I still able to access the file if I am using the same URL which was I stored in Firestore? You can test it on this url.

Can hacker get the download URL I downloaded from Firestore? Is there a secure way to download song from Firebase Cloud Storage so hacker won't get its URL?

Thank you for helping me out.

Updated v2: I just found out that current audio file has its own AuthenticatedUrl as shown on this picture below. How can I get access to this url?

Authenticated URL

Updated v1:

I think I haven't activated Firebase App Check. Does this feature have ability to prevent it from being accessed publicly or maybe there is other things that I have to do to be able to prevent it being accessed publicly, beside all ways I described above???

Cloud Security Rules

Shown it's not public

Image on Google Cloud Storage

Wege
  • 177
  • 2
  • 11

2 Answers2

1

Security rules only check if a user can get the download URL and do not restrict anyone from using it. You can use the getData() method instead. It doesn't return any URL and downloads the files directly and is controlled by security rules. So a user must be authenticated to fetch them.

Dharmaraj
  • 47,845
  • 8
  • 52
  • 84
  • Uhm... What I meant is how to prevent hacker accessing the url generated from Flutter? Since the getDownloadUrl() has the same url which is stored inside Cloud Storage. I found out on the Google Cloud Console, the current audio file has AuthenticatedURL which is cannot be downloadable if it is not authenticated.... You can try using this url to try it: https://storage.cloud.google.com/felix-had.appspot.com/music/Relax/02.%20Rivers.output.mp3 – Wege Sep 16 '22 at 13:20
  • Can you read the last update on question? I wanna know how to get the AuthenticatedUrl from Cloud Storage Console. – Wege Sep 16 '22 at 13:25
  • @Wege open any object and your should see define "hacker"? Like a person would need access to a user's Firebase Auth Account and then only they can get the URL/file at first place. If someone just bruteforces the URL (that is unlikely). Yes that auth URL will require you to be authenticated with Google. – Dharmaraj Sep 16 '22 at 13:31
  • If you just use `getData()` then you don't have to deal with the URLs at first and get into GCP console. – Dharmaraj Sep 16 '22 at 13:32
  • But using getData() will force user to download all the songs, and it will make the app consumes a total of 20 GBs.... I really a workaround about this use case. If you know, that will be helpful. – Wege Sep 16 '22 at 13:34
  • @Wege where did you read that? Have you checked the documentation linked in my answer? It only fetches the file that your StorageReference points to.. – Dharmaraj Sep 16 '22 at 13:35
  • Yeah, I have read it. But my app derived all songs from one single category in Firestore, and it needs a downloadable URL, so app will only download the file if current file is being played. – Wege Sep 16 '22 at 13:39
  • I think this link below is probably the answer. I am gonna test it first and let you know the result. If it can be accessible that way, then problem is solved. Link from other stackoverflow: https://stackoverflow.com/a/20479113/13890662 – Wege Sep 16 '22 at 13:42
  • Files can be accessed by anyone who has a signed URL and does not explicitly check for auth. Though it's unlikely to get one by bruteforce just like the normal URLs.... – Dharmaraj Sep 16 '22 at 13:47
  • Well, I was trying to use the Authenticated URL and that was returned as error and inaccessible. I don't know what else I can do so I don't expose the URL. – Wege Sep 16 '22 at 14:21
  • @Wege so essentially `getData()` is the solution to your question? – Dharmaraj Sep 16 '22 at 14:38
  • Uhm... I think I am gonna need to test it first. If it is not working, then probably I have to use signedURL with a limited time of expiration. Sorry, I am still new here. – Wege Sep 16 '22 at 14:44
  • Security rules do restrict download as mentioned earlier in the comments and the answer as well. The same is explained in the documentation linked. – Dharmaraj Sep 16 '22 at 14:47
  • Hello @Dharmaraj, is there a way to convert Uint8List data into audio file and streamed it real-time? – Wege Sep 17 '22 at 00:36
  • Have you checked [this answer](https://stackoverflow.com/questions/61482473/save-audio-stream-uint8list-data-in-file-flutter)? If you are facing issues particularly about playing the audio then it might be best to post a new question with the relevant code that you have tried and any error that you get. – Dharmaraj Sep 17 '22 at 06:33
1

As mentioned in the Answer :

If you're using the FlutterFire Storage library in your app, you can call getData on a reference to the file to get its data. So with that you just need to know the path to the data, and you won't need the download URL in your application. Once you have the data locally, you can create an image out of it with: Converting a byte array to image in Flutter?

Unlike download URLs, the call to getData() is checked by security rules, so you'll have to ensure that the user is permitted to access the file.

You can also refer to this Answer :

For web apps: in the JavaScript/Web SDK using a download URL is the only way to get at the data, while for the native mobile SDKs we also have getData() and getFile() methods, which are enforced through security rules.

Until that time, if signed URLs fit your needs better, you can use those. Both signed URLs and download URLs are just URLs that provide read-only access to the data. Signed URLs just expire, while download URLs don't.

For more information, you can refer to this Github issue where a similar issue has been discussed.

Divyani Yadav
  • 1,030
  • 4
  • 9
  • 1
    Thank you. Your answer is the most completed one although it was the same as previous answer. I get all what I need along with expert answer from Frank-van-Puffelen. Thank you. Thank you too to @Dharmaraj. – Wege Sep 16 '22 at 14:38