When uploading a file to Firebase Storage using the uploadBytes
function from the Firebase client SDK, it automatically generates a download token and includes it in the response. Even though I have set strict rules to prevent public read access, the presence of this token seems to compromise the security of the uploaded file. Here are the details:
I have a simple form that allows users to upload a file, which is then stored in Firebase Storage. My Firebase Storage rules are configured as follows:
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read: if false;
allow write: if request.resource.contentType.matches('application/pdf') && request.resource.size < 10 * 1024 * 1024
}
}
}
These rules prevent public read access but allow uploading PDF files smaller than 10 MB.
When I use the uploadBytes
function from the Firebase client SDK to upload a file, the response in the browser console's network tab includes a downloadTokens
property with a token value, like this:
{
"name": "sample/sample.pdf",
"bucket": "test-12345.appspot.com",
"generation": "1715231448324075",
"metageneration": "1",
"contentType": "application/pdf",
"timeCreated": "2024-05-09T05:10:48.325Z",
"updated": "2024-05-09T05:10:48.325Z",
"storageClass": "STANDARD",
"size": "3375",
"md5Hash": "vd9mAXeW3724WRQ2sqSkRQ==",
"contentEncoding": "identity",
"contentDisposition": "inline; filename*=utf-8''sample.pdf",
"crc32c": "Wn3FaQ==",
"etag": "COuvvYnn/4UDEAE=",
"downloadTokens": "767eb459-bae2-41ed-9bb3-cf2cad0d71a4"
}
My concern is that a malicious user could potentially guess the public download URL for the file using the information in this response, thereby compromising the file's security.
I cannot use server-side uploading as a workaround because I am using Next.js API routes hosted on Vercel, which has payload limitations that prevent me from performing the upload task on the server-side.
Question: Is this behavior of automatically generating download tokens a security concern, or is it the default and intended behavior of Firebase Storage? If it is a security concern, is there a way to prevent or mitigate this issue without using server-side uploading?
Please let me know if I can provide any additional information or clarify my question further. Thanks in advance.