What should I do to protect my uploaded firebase document - PhpOut

BhavyaArdeshana
February 3, 2023
227 views
2 votes
3 Answers

How can I protect my uploaded document in Firebase?

For Example, this is my uploaded document URL:- https://firebasestorage.googleapis.com/v0/b/sapient-logic-368311.appspot.com/o/coder.JPEG?alt=media&token=55d1a727-956f-434b-bdad-a08b8ef133d0

Anyone can able to access and see my uploaded document by using this document URL.

How can I protect the uploaded document, then only authorized persons can access the uploaded document.

I want If anyone get document URL although Can’t be access or see document

I want like this If anyone try to access my document using document URL:-

Or Can I make private bucket in Firebase ?

Tags: firebase firebase-security firebase-storage google-cloud-platform

Answers

- AlexMamo
- February 3, 2023 at 11:20 am
- 0 votes
0
Anyone can able to access and see my uploaded document by using this document URL.

That’s correct. And this is happening because you have shared the entire URL along with the token, which is not correct since the token should act as a security measure to restrict access only to those who possess the token.

So the best option that you have, would be to store such a URL in a database like Firestore or the Realtime Database and only allow access for reading the URL using security rules.

Remember, that token is created automatically whenever a file is uploaded to Cloud Storage for Firebase. So don’t share that token with anyone.

Login or Signup to reply.

- AdarshGupta
- February 3, 2023 at 11:31 am
- 0 votes
0
You can write rules in it which help you who can read or write the data.

Login or Signup to reply.

- Daniel
- February 5, 2023 at 3:02 am
- 0 votes
0
If a specific file is thought to be private, then no client normally should have access to the URL token.

If the case is the file URL was public and you want to make it private, you can modify the access token without being obligated to re-upload the file or changing its path.

I don’t know what platform you are working on, but from the Python SDK, it can be done this way:
```
from firebase_admin import storage
from uuid import uuid4

bucket = storage.bucket()
blob = bucket.blob(path_to_file)
token = str(uuid4()) # Random ID

blob.metadata = {
        "firebaseStorageDownloadTokens": token
    }
blob.patch() # Updates changes
```
After this, the previous URL will be unusable and firestore will respond with the error you mention:
```
{
  "error": {
    "code": 403,
    "message": "Permission denied."
  }
}
```
Note that this solution applies for full-stack applications, where backend is what uploads the file to the Firebase Storage. If your project consists of the client connecting directly to the Firebase Storage, then you should take a read about the security rules and use them as a pseudo-backend.
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.