I'm creating a social network. It will use a follow/unfollow model. Profiles can be public or private (like Twitter or Instagram).
Users can create photos that will be stored in Google Cloud Storage. Database is being handled by Google Firestore.
Currently my Storage hierarchy is
bucket / users / {userId} / images***
My question is: How do I limit access to a certain user's photos using Cloud Storage Security Rules?
I'd like people to only be able to view another's photos if:
1. they are following that user, or
2. the user is public
This seems like a super common use case but have not been able to find any answers on it. I've seen other questions on it but they don't solve the problem.
Is it possible to set storage rules using firestore of Firebase?
Or
Can Firebase Cloud Storage rules validate against Firestore data?
- Frank van Puffelen talks about using custom tokens to set access. In his example he uses "guilds" (which could substitute for a user's followers) such as
admin.auth().setCustomUserClaims(uid, {guild1: true}) - But this won't work for someone who's following hundreds or thousands of accounts. You'd need to have each userId that a user follows and set it to true. E.g. user1 follows user2/user3/user4/user5/user6/user7/user8....user1000. That's a lot of data to cram into a token (and "Custom claims payload must not exceed 1000 bytes.")
- You'd need some other method for public profiles.
I also looked at the official documentation, the only sort of relevant example reiterates the same custom tokens for groups (which doesn't work for reasons stated above):
- Group private (https://firebase.google.com/docs/storage/security/user-security)
