Firebase revoke token on download url

Question

When I simple "took" a images on firebase console it create me automatically a download url like https://firebasestorage.googleapis.com/XXX/YYY/XXX/name.jpg?alt=media&token=.

I wanna have my file super-secured, how I can remove this download url or revoke this token?

score 2 · Answer 1 · answered Feb 06 '18 at 01:50

2

The Firebase console provides a "revoke" option next to the download URL which can be used for this (look under the "File Location" tab). You should use Firebase rules to properly secure your assets, if object-level security is important to you: https://firebase.google.com/docs/storage/security/

answered Feb 06 '18 at 01:50

Hiranya Jayathilaka

7,180
1
23
34

2

Let me point out that the "Revoke" option will revoke that specific token, but will generate a new one right after. – Rosário Pereira Fernandes Feb 08 '18 at 15:59

score 2 · Answer 2 · answered Feb 08 '18 at 21:48

2

There's no way you can restrict that url (not even through security rules). It is always public but note that it is unguessable. There is also a revoke option through Firebase console just in case the URL leaks.

answered Feb 08 '18 at 21:48

goblin

1,513
13
13

Conceptually, you should consider having the token the same as having the image, and so you should look into protecting access to the image itself. There's more info [here](https://stackoverflow.com/questions/41088164/enforce-authentication-for-firebase-storage-downloadable-urls). – katfang Feb 09 '18 at 22:25
My question is how I can revoke token through flutter code – Noobdeveloper Jul 22 '21 at 20:32

score 0 · Answer 3 · answered Jan 29 '19 at 21:32

As pointed by others you don't need to be concerned about this URL as in practice is very hard to guess. However you should not share it or use it as entry point to the application. Instead you should use the Signed URLs support provided by Google Cloud.

Firebase revoke token on download url

3 Answers3

Linked