How to revoke access tokens on all files within specific folder/bucket in Firebase Storage

Question

I have Firebase Storage that holds hundreds of files secured by Storage rules. The rules check if user requesting the file (URL) has sufficent permissions in Firestore Database.

The problem is that if user tries to access the resource, and is authorized, gets a permanent public link (access token), which can be caught, leaked and accessed by everyone on the whole internet. The link being permanent is unacceptable and represents huge security risk.

The access token (to file) can be revoked in Firebase console by clicking on "Revoke" under "File location" which invalidates the original public link, generating new one on next demand of authorized user. Which is ok.

The question is, is there a way to revoke access tokens on ALL files inside specific bucket/folder at once? Or in a loop, programatically?

Answer 1

The download token that Firebase stores for each object is stored as metadata on the object itself. All you have to do is write a program to:

1. Iterate each of the objects in storage using the "list files" API
2. Remove that token metadata (named firebaseStorageDownloadTokens) from the object

See:

• How to list files and folders in Firebase Storage
• Generate acces token when uploading file to firebase storage
• How can I generate access token to file uploaded to firebase storage?

Keep in mind that the download token metadata is not documented by Firebase and is considered an implementation detail, so your code might not work in the future.