Firebase cloud storage rules to restrict access

Question

I'm faced to an issue with firebase cloud storage rules. In fact I want to restrict access to unlogged user to my files in my storage. I wrote a basic rule that shloud not give access to the unlogged user but that doesn't works.

My rules in cloud storage on firebase console:

rules_version = '2';
service firebase.storage {
  match /b/{bucket}/o {
    match /{allPaths=**} {
      allow read, write: if request.auth != null && request.auth.uid != ''
    }
  }
}

Use case: If I open a window in incognito mode, the file can be open by entering the download URL link provided by firebase storage (nevertheless it should not be the case with that rule).

Ps: As I can see on this related post and this one, the url link is a public ressource (not editable) and the token provided on the URL is secure, so no one on the net can access to my cloud storage ? But in that case how to authorized access to certain file to certain user ? Example: I have files from differents companies, I don't want a person from company A has access to a file from company B. How to control access to that file (download URL link with his token) Thanks

Answer 1

A download URL gives any user who has it public, read-only access to the underlying file. There is no access control (through security rules or otherwise) anymore at this point.

So if you want to control access to the files with security rules, you should not generate download URLs, and instead have all access go through the SDK methods, which are checked against your security rules.