Firebase revoking download URL doesn't work

Question

I am using firebase, react and react-native to develop an MVP app where users can upload image files and other users can retrieve them for viewing, and I am using firebase storage and the getDownloadURL() function.

I know that there are other ways of retrieving firebase storage files, but I want to use the downloadURL so that unauthenticated users may also view the images.

I know that downloadURL is public and access to files cannot be restricted even by firebase security rules.

N.netheless, there is the revoke function where I can supposedly revoke the access token, ie the downloadURL. At the firebase console, I tried it out. It turns out that every time I revoke it, firebase generates a new one as replacement. More problematic is that I can still use the old (revoked) URL to access the image files. I checked out at the browser developer tool. The URL used by the browser was indeed the revoked URL. I used a new browser to ensure that the problem is not related to the cache. Even if I use a react-ative app, the same problem appears.

The image cannot be accessed only if I completely delete it from the firebase storage.

What is the problem here? Have I missed something?

I have looked up the firebase documentation and searched for similar issues on stackoverflow but cannot get an answer. Other people don't seem to have this problem.

Answer 1

The reason why you can still access the revoked urls is because in your firebase storage rules you have accepted reads for all users, whether authenticated or unauthenticated. To prevent access to revoked urls, use the following in your firebase storage rules.

NB// This will require all users to be authenticated inorder to get the download url

rules_version = '2';
service firebase.storage {
  match /b/{bucket}/o {
    match /{allPaths=**} {
      allow read, write: if request.auth != null;
    }
  }
}