Firebase storage file is accessed by everyone - firebase-storage

I have restricted rules:
rules_version = '2';
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read, write: if false;
}
}
}
but every one can access and download file from this link.
how should I restrict downloading from this link?

Download URLs by definition give read-only access to the file, and are not affected by the security rules.
If you want to control access to the file, you should not generate a download URL and instead access the file through the SDK only.

Related

Firebase: What signatures should be present in Settings?

In Firebase, whenever I try to write to Firestore I'm getting permission errors in flutter. So I wanted to ask what signatures are you supposed to put in the settings? I'm currently using the services Firestore, Auth, and AppCheck.
I have 6 signatures in my settings:
SHA-1, SHA-256: debug.keystore
SHA-1, SHA-256: upload-keystore (is this needed?)
SHA-1, SHA-256: App signing key certificate from google console
The reason why I think it has something to do with the signatures is because I'm able to write to Firestore when I'm using AndroidProvider.debug in AppCheck. But when I make my release version using AndroidProvider.playIntegrity Firestore denies me.
Error:
E/flutter (25396): [ERROR:flutter/runtime/dart_vm_initializer.cc(41)] Unhandled Exception: [cloud_firestore/permission-denied] The caller does not have permission to execute the specified operation.
Firestore rules:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if isDev();
}
function isAuth() {
return request.auth != null;
}
function isDev() {
let datalist = ['myemail#foo.com'];
return isAuth() && request.auth.token.email in datalist;
}
}
}
I'm using IntelliJ.
You should use the SHA-256 certificate fingerprint that you can find in App integrity > App signing key certificate on the Google Play Console.
I stumbled upon the same issue today, and this is my current working setup. Hope this helps!
Okay long story short, I found out the phone I was testing API 28 on had been previously rooted. The original ROM had eventually been reinstalled but I guess it still qualifies as being rooted according to AppCheck.

Unable to remove authentication ask from firebase storage

I have connected this app with my firebase console. I am trying to upload videos from the app to firebase storage so that another app connect to same console (which has authentication) can display it
I am getting this error when I upload:
W/System (10365): Ignoring header X-Firebase-Locale because its value was null.
I went through this question(W/System: Ignoring header X-Firebase-Locale because its value was null) on stack overflow but I am unable to remove the authentication requirement still
My firebase storage rules are:
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read, write: if
true;
}
}
}
I don't understand why I am still unable to upload without authentication.(App is connected to internet too and has permission)

how to block access for non-authorized users to get pictures link from firestore storage?

I have an image link that I want to protect for only authorize users but the issue whenever I try to get the link I can see the picture, even if I specify the rule for it ?
rules_version = '2';
service firebase.storage {
match /b/{bucket}/o {
match /profiles/{userId}/{image} {
// Read from storage !!
allow get : if request.auth != null // Authorized users only
}
}
}
If you're referring to download URLs, those are not at all controlled by security rules or any form of authentication. Anyone who has the link can view the content. That behavior can't be changed.

What is the best rules for a App published on Play Store when using Firestore Database?

i'll publish my app on Google Play Store but in test phases (Alpha Version), i was using this rules:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
// This rule allows anyone on the internet to view, edit, and delete
// all data in your Firestore database. It is useful for getting
// started, but it is configured to expire after 30 days because it
// leaves your app open to attackers. At that time, all client
// requests to your Firestore database will be denied.
//
// Make sure to write security rules for your app before that time, or else
// your app will lose access to your Firestore database
match /{document=**} {
// allow read, write: if request.time < timestamp.date(2020, 3, 25);
allow read, write: if request.auth.uid != null;
}
}
}
But, when the app must be published to public i can't know the best path or the best rules that my app must have.
My app have a login screen and after login screen each user have your respectives documents and collections in your document generated from sign up.
I can't got think on a form to protect my app of invasors.

Firebase Storage Error when upload file

I try to upload images to firebase, but i always receive this exceptionenter image description here
By default, Firebase Storage buckets require Firebase Authentication to upload files. You can change your Firebase Storage Security Rules to allow unauthenticated access.
Something like:
service firebase.storage {
match /b/<your-firbase-storage-bucket>/o {
match /{allPaths=**} {
allow read, write;
}
}
}
Will get you up and running ASAP