I've got folders in my firebase storage like this:
userid1_userid2/image.bmp
OR
userid2_userid1/image.bmp
How do I grant access to those images only to users with userid1 or userid2? I tried several things but the documentation is not really clear to me.
Solved by using these rules:
service firebase.storage {
match /b/{bucket}/o {
match /{path}/{spath} {
allow read,write: if path[0:28] == request.auth.uid || path[29:57] == request.auth.uid;
}
}
}
Related
The time to download an image from firebase storage: 2.59s
Is there any way to speed this up to a decent time, or is firebase storage unusable for small files (images/thumbs)?
My project:
https://beach-real-estate.vercel.app/
update---
my firestone rules:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
// Listings
match /listings/{listing} {
allow read;
allow create: if request.auth != null && request.resource.data.imgUrls.size() < 7;
allow delete: if resource.data.user == request.auth.uid;
allow update: if resource.data.user == request.auth.uid;
}
// Users
match /users/{user} {
allow read;
allow create;
allow update: if request.auth.uid == user
}
}
}
Where did you choose for the firebase server location? It might just be lag? I've never experienced load times like that using firebase, unless it was for large files.
Firebase storage is basically a bucket within GCP. If you want to have faster download times, you should make your files publicly available.
If you need a guide for that, use this
There's a similar question here that may help you.
I am using Firebase Storage to store files of the user. My storage structure is as shown below. I want to allow only created file user to modify his files not to others.
profiles/uid/posts
posts/ folder contains all his uploaded files. I want to restrict between this path files from other users modification. They can see my all files between profiles/uid/posts this path. My current rules are:
rules_version = '2';
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read, write: if request.auth != null;
}
}
}
Help me to achive this. Thanks
Identify the per-UID folder like this:
rules_version = '2';
service firebase.storage {
match /b/{bucket}/o {
match /profiles/{uid}/posts/{allPaths=**} {
allow read, write: if request.auth.uid == uid;
}
}
}
I strongly suggest reading more about per-user authentication rules in the documentation.
Using Firestore, I'm trying to figure out how to restrict new user accounts to those matching a whitelist of emails. The problem is, I don't even know if it's even possible to use security rules to prevent the creation of new user accounts. I've attempted a lot of combinations. This was my best attempt:
service cloud.firestore {
match /users/{userId} {
allow read: if true;
allow create, update: if
request.resource.data.email == "bbbbb#asdfljflsaj.com";
}
}
I've also tried:
service cloud.firestore {
match /databases/{database}/documents {
match /users/{userId} {
allow read: if true;
allow create, update: if
request.resource.data.email == "bbbbb#asdfljflsaj.com";
}
}
}
And:
service cloud.firestore {
match /users/{userId} {
allow read: if true;
allow create, update: if
request.auth.email == "bbbbb#asdfljflsaj.com";
}
}
I'm calling 'createUserWithEmailAndPassword' to create the user and keep hoping one of the variations I try is successful, but to no avail at this point in time. I'm starting to wonder if it's even possible. Any help would be greatly appreciated!
I have a firebase storage download url, like
https://firebasestorage.googleapis.com/v0/b/siren-5eee7.appspot.com/o/profile%2FC6jNlR0F4cZBPv7wF0REWUNVor33?alt=media&token=63a9130e-2ba6-4f38-ac3f-2231c54a1043
How can I access this url without token parameter?
For example, If I access above url without token there will be 403 error showing permisson denied.
My firebase storage secure rule is below :
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read, write: if request.auth != null;
}
}
}
This file located in /etc file. How can I do it?
Try changing rule:
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read;
allow write: if request.auth != null;
}
}
}
In case you need the rule to allow accessing only the images without a token you have to do the following:
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read: if request.auth!=null || resource.contentType.matches('image/.*');
allow write: if request.auth!=null;
}
}
}
From what I understand, you're trying to make the whole bucket publicly available. Using Firebase access rules might not be best, you might want to make the bucket read access available via Google Cloud's Storage layer.
To do that, one of the easiest way is using the Google Cloud Console Storage.
Select the bucket, click the bucket to configure and open the permissions tab.
Since this is Firebase managed bucket, it would have what Google called fine-grained access control. Don't worry, adding public access is quite simple.
Click Add members button, then, on the sidebar, add in allUser as new member, and give it the role of Storage > Storage Object Viewer. You can see more detail in the Storage Docs.
This will make the bucket publicly viewable via <bucketname>.storage.googleapis.com.
If you created extra bucket in Firebase that match a domain you own and verified in Google Search Console, you can create a bucket of named after your custom domain and have it publicly accessible using a CNAME of the custom domain that points to c.storage.googleapis.com. You can see more detail at Storage Endpoints Docs, Google Cloud's docs explain it much better than I can. Hope this helps!
If you need to access to certain url (image) without token parameter use the rule below:
rules_version = '2';
service firebase.storage {
match /b/{bucket}/o {
match /images/users/default.png {
allow read;
}
match /{allPaths=**} {
allow read, write: if request.auth != null;
}
}
}
If you need to access to certain folder without token parameter use the rule below:
rules_version = '2';
service firebase.storage {
match /b/{bucket}/o {
match /images/{wildcardpath=**} {
allow read;
}
match /{allPaths=**} {
allow read, write: if request.auth != null;
}
}
}
Note: Change the url or folder to yours
I am authenticating to firebase using custom tokens. I want to restrict only the current user to have access to write and delete the image and grant read access to everyone.
below code is part of my swift code related to storage
let filePath = REF_STORAGE.child("/"+(FIRAuth.auth()?.currentUser?.uid)!+"/profilepic.jpeg")
let metaData = FIRStorageMetadata()
metaData.contentType = "image/jpeg"
And my current firebase storage rule is as shown below
service firebase.storage {
match /b/test-123456789.appspot.com/o {
match /{uid}/{allPaths=**} {
allow read: if request.auth != null;
allow write: if request.auth.uid == uid;
}
}
}
When i try to upload image i get the following error
User does not have permission to access gs://test-123456789.appspot.com/MYAUTHUID/profilepic.jpeg.
But if i change the storage rule to below storage rule, i am able to upload the image and the profilepic is stored under /gs://test-123456789.appspot.com/123456789/profilepic.jpeg
service firebase.storage {
match /b/test-123456789.appspot.com/o {
match /{allPaths=**} {
allow read: if request.auth != null;
allow write: if request.auth != null;
}
}
}
Kindly let me know how to fix this issue.
Does your {uid} contain any special characters? (e.g '+' sign)
Note: Firebase Support replied to me that this issue is under investigation, following a bug report I sent them 3 days ago: I discovered that calling {userid} doesn't work for me in Firebase Storage Rules if it contains the '+' sign.
I use phone numbers in E.164 format (e.g: "+97234567899").
I tried several run tests, and they clearly showed there's an issue with the value returned from {uid}:
request.auth != null; - Worked
request.auth.uid != null; - Worked
request.auth.uid == "+97234567899"; - Worked
request.auth.uid == uid; - Didn't work
However, I found a way to bypass this issue. This is what I came up with:
Solution
resource.name.split('/')[position]
Since {uid} represents a folder name, you can extract its value by manipulating the full path string of the file using resource.name, splitting it by ('/') and then selecting the relevant hierarchy.
For example: if this is your path: /Images/Profiles/{uid}/profile.jpg, then extract the uid like this: resource.name.split('/')[2]
In your code sample, I would do this:
service firebase.storage {
match /b/test-123456789.appspot.com/o {
match /{uid}/{allPaths=**} {
allow read: if request.auth != null;
allow write: if request.auth.uid == resource.name.split('/')[0];
}
}
}
Edit (July 28th, 2017)
Firebase Support has replied to my report a month ago, and the issue has been identified & now being taken care of.
However, in the meantime, if you wished to authenticate by phone number (like I did) - we shouldn't be using Custom Tokens anymore, because Firebase now supports such authentication.
For anyone still having this problem: Updating your firebase security rules to the following did the trick for me.
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read, write: if request.auth.uid != null;
}
}
}