In typical apps, developers must build and maintain many servers that perform authentication, authorization, and data validation, as well as the developer's business logic. Apps using Firebase Storage make use of Firebase Authentication and Firebase Storage Security Rules to handle serverless authentication, authorization, and data validation.
Using Firebase Storage and Storage Security Rules means that you can focus on building a great user experience, without having to manage infrastructure or write complex server-side authentication and authorization code!
Overview
Storage Security Rules are used to determine who has read and write access to
files stored in Firebase Storage, as well as how files are structured and
what metadata they contain. The basic type of rule is the allow
rule, which
allows read
and write
operations if an optionally specified condition is
met. Some examples of rules are:
// Rules can optionally specify a condition allow write: if <condition>;
Rules match
file paths representing
Firebase Storage references. Rules
may match
one or more file paths, and more than one rule can match
the file
path in a given request
:
// Rules match specific paths match /images/profilePhoto.png { allow write: if <condition>; } match /images/croppedProfilePhoto.png { allow write: if <other_condition>; }
The context of the rule evaluation is also exposed through the request
and
resource
objects, which provide information such as the auth context
(request.auth
) and the existing object's size (resource.size
).
// Rules can specify conditions that consider the request context match /images/profilePhoto.png { allow write: if request.auth != null && request.resource.size < 5 * 1024 * 1024; }
Learn more about Storage Security Rules in the Secure Files section.
Sample Rules
Storage Security Rules must first specify the service
(in our case
firebase.storage
), and the Firebase Storage bucket
(via match /b/<your-firebase-storage-bucket>/o
) which rules are
evaluated against. The default rules require Firebase Authentication, but here are
some examples of other common rules with different access control.
Default
// Only authenticated users can read or write to the bucket
service firebase.storage {
match /b/<your-firebase-storage-bucket>/o {
match /{allPaths=**} {
allow read, write: if request.auth != null;
}
}
}
Public
// Anyone can read or write to the bucket, even non-users of your app.
// Because it is shared with Google App Engine, this will also make
// files uploaded via GAE public.
service firebase.storage {
match /b/<your-firebase-storage-bucket>/o {
match /{allPaths=**} {
allow read, write;
}
}
}
User
// Grants a user access to a node matching their user ID
service firebase.storage {
match /b/<your-firebase-storage-bucket>/o {
// Files look like: "user/<UID>/path/to/file.txt"
match /user/{userId}/{allPaths=**} {
allow read, write: if request.auth.uid == userId;
}
}
}
Private
// Access to files through Firebase Storage is completely disallowed.
// Files may still be accessible through Google App Engine or GCS APIs.
service firebase.storage {
match /b/<your-firebase-storage-bucket>/o {
match /{allPaths=**} {
allow read, write: if false;
}
}
}
During development, you can use the public rules in place of the default rules to set your files publicly readable and writable. This is very useful for prototyping, as you can get started without setting up Firebase Authentication. However, because Firebase Storage shares a bucket with your default Google App Engine app, this rule also makes any data used by that app public as well.
User rules allow you to give each of your authenticated users their own personal file storage. You can also lock down your files entirely by using the private rules, but be aware that your users won't be able to read or write anything through Firebase Storage with these rules. Users accessing files from your Google App Engine app or the GCS APIs may still have access.
Before launch, make sure that you evaluate your rules to ensure they provide the maximum level of security your application needs.
Edit Rules
Firebase Storage provides an easy way to edit your Storage Security Rules
via the Rules tab in the Firebase console Storage section.
In the Rules tab, you can quickly and easily view and edit your current
rules. These rules are deployed by clicking Publish, or by saving the file
(ctrl/cmd + s
). Rules are immediately uploaded to Firebase Storage
servers, but may take up to five minutes to become live.
Learn more about how file based security works in the Secure Files section, or understand user based security in the User Security section.