0

I have built an app that allows customers to purchase access to download files that are stored using Firebase Storage. When they make the purchase, the asset ID from Storage is linked to their user ID using Firebase Firestore. It looks like it is not possible to update the Firebase Storage server side security rules to use the Firestore record. However I have found that it is possible to add custom claims to the Firebase User or to update the image metadata in storage to include the user ID.

https://firebase.google.com/docs/auth/admin/custom-claims

https://firebase.google.com/docs/storage/web/file-metadata

Is either method (updating user custom arguments, or updating the storage asset metadata) a better method in terms of scaling up this app to check if the user can access the asset that they are trying to download using Firebase Storage server side security rules?

Thank you

Improve this question

2 Answers 2

Reset to default
0

Neither one is better than the other. They are simply different tools for different jobs. Custom claims provides a way to give a user access to a set of objects, as defined by a rule that matches those objects. Metadata provides a way to tag a single object for access defined by a rule. For the most part, they don't really overlap in utility. Pick the one that best suits your use case.

Improve this answer
0

As of Sep 2022 this is now possible: https://firebase.blog/posts/2022/09/announcing-cross-service-security-rules

One potential implementation for you would then be to update the user's firestore doc with an access key, then use something along the lines of

firestore.get({path to user doc}).data.{accessKey}

within the security rules.

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.