0

So I have a bucket of images in my Firebase Storage. Everyone's images go in there and I am concerned about security because if a user is authenticated, I think they can read and write everyone's images. This is not good.

rules_version = '2';
service firebase.storage {
  match /b/{bucket}/o {
    match /images/{imageId} {
      allow read: if request.auth != null;
      // Only allow uploads of any image file that's less than 10MB
      allow write: if request.auth != null && request.resource.size < 10 * 1024 * 1024;
    }
  }
}

I want multiple/specific users that have access to the files to be able to access them and no one else. Also, access should be dynamic (a user can gain or lose access). I've seen others secure files specific to one user by adding a {userId} wildcard in the match statement but I want MULTIPLE users. From my research, it sounds like the only way to do this would be through custom claims. I want to make this is correct before I dive too deep into it. It looks like custom claims can only store 1000 bytes of data too so that might be a bottleneck in my case.

Thanks!

Jared
  • 2,029
  • 5
  • 20
  • 39
  • This sounds like a [group access](https://firebase.google.com/docs/storage/security/rules-conditions#group_private) case. How many groups can a user be part of? If the number is limited then size limit of custom claims should not be an issue. Similar issue: [Firebase Storage security rules for groups](https://stackoverflow.com/questions/59092678/firebase-storage-security-rules-for-groups) – Dharmaraj Jan 22 '22 at 07:19
  • I figured out that if I make it so that only the owner of the image can read/write it (through metadata), other members of the group can still read the image through the public downloadUrl. Therefore, my problem is resolved! – Jared Jan 22 '22 at 21:13

0 Answers0