0

I have the following data structures in Firebase

Firebase Database

House/(id)/Viewers/(UID)/{
    startdate = “Dec 1, 2019”
    endData = “Dec 8, 2019”
}

Firebase Storage

House/(id)/SensitiveImages/sensitiveImage.png

I want to write a rule in Firebase storage that only allows access to the SensitiveImages folder if the users UID is inside of the list of Viewers and the current time is between the startDate and endDate. However, there is no way to access this information from inside the Firebase Storage rules. How can I do this?

Cameron Henige
  • 368
  • 2
  • 17
  • 1
    Does this answer your question? [Creating Firebase Storage Security Rules Based on Firebase Database Conditions](https://stackoverflow.com/questions/52808389/creating-firebase-storage-security-rules-based-on-firebase-database-conditions) – bastien Dec 05 '19 at 18:26
  • @bastien That does not help me because as far as I know, custom claims don't expire and can't be cross checked with a startDate and endDate when they are used. – Cameron Henige Dec 06 '19 at 21:48

1 Answers1

2

One possibility is to write a Cloud Function that serves as the "processor" for image requests. Rather than access the image directly, we could expose a Cloud Function as the proxy for the image. The Cloud Function could then evaluate an expression using current date and requestor identity in conjunction with the data stored in the database. If allowed, then the Cloud Function could return the raw data which the Cloud Function is authorized to access.

As an alternative to the Cloud Function returning the data, the Cloud Function could return a URL that could be used to access the data. This could be a signed url from Google Cloud Storage that would give only the possessor of that URL access and would also be time bound to prevent access after expiration.

Kolban
  • 13,794
  • 3
  • 38
  • 60
  • Thanks for the answer. I wrote some pseudocode for this and it made me realize that this has some flaws. The flaw with your first approach is that it will require the client downloading the image every time. For my app, this would be a huge waste of bandwidth. The flaw with your second approach is that if the start/end dates change, the signed url will still work outside of the new start/end dates. Do you know of any ways around these issues? – Cameron Henige Dec 05 '19 at 20:47
  • Howdy Cameron ... not following the client downloading everytime ... is this an Android app where you want to store the image locally? For the signed-url concept, we could make the duration of the valid URL really short ... 1 minute for example. That would be enough time to retrieve the image one time. We could then recreate a new signed URL for each request taking account of the current access allowed dates? Basically ignore the signed-url timeout concept and just use it for immediate access based on expression evaluation. – Kolban Dec 05 '19 at 21:46