Firebase storage (non changing download link possible?)

Hi i was wondering, if its possible to save an image to firebase storage and then if you change the image, the link stays the same.

im trying to do so, so for example when a user makes a comment, i can store his profile along with the comment and so if he ever changes his profile, there wont be any need to go back and change his profile in every comment he ever made.

Maybe this can be possible if its possible to set a specific download link when uploading an image.(a while ago i show an option for download link in the firebase storage logic, but now after an update, this is no longer available. Nevertheless i dont even know if this was what im looking for).

bellow, you can see my try, i uploaded an image and then an other one to replace it but the only difference is the access token

As for the access token, in firebase you can change it, but its only auto generated.

So im i missing something, do you think its possible predetermining firebase storage link?

1 Like

When changing a file in the firebase storage (that is POST a file to the same path of an already existing file and thereby replacing the older file), the storage-path stays the same but the access token changes. Thereby the download-url changes.

In my opinion there are 3 ways (maybe a 4th “hacky” way) of dealing with this:

The download-url looks like this:

  1. Defining the access token yourself as part of the metadata when uploading/changing files; this is described here (A guide to Firebase Storage download URLs and tokens | Sentinel Stand). But I don’t recomend this as the author calls it “hacky”.
  2. saving the download-url in only one document, that is accessible by all appropriate users and keeping this document up to date when changing a file in firebase storage.
  3. splitting the download-url into the “storage-path” and the “access token”. Only the storage parts needs to be stored at every comment-document (regarding your terms above). The access token can change over time, so the user demands for the current access token with a http request:
    GET “storage path” (without alt=media or token=…) image
    and with the Auth in the header: “Bearer …” image
    Then you will receive a JSON object inluding the access token (called “downloadTokens”)
    Finally you can glue the “storage path” and the just received “access token” togehter and download the file.
  4. You might consider to save the file in a part of your firebase storage, that is not restricted by your security rules. This way the file is public to the entire world and no access token needed at all.
1 Like

thank you so much for sharing this knowledge. From your options, i understand that

in no 2, i think, that this is a great option but the downside is that there will always need an extra document read in order to access one profile pic and so in my example there wont be the need to store the profile image of the user in the comment, i could just go ahead and access the image from the users profile (making again one doc read)

in no 3, if i understand correct, the need for updating will remain but this time only the access token will need to be updated (for ex in every comment of the user)

But the last option sounds so promising for my case. I dont know exactly why the access token would be necessary in a profile image, because is something accessible by everyone (if you think it is necessary please let me know) (also i dont know if the access token is needed for changing the file or is just needed when reading the file if you know please let me know too).
And on the other hand, if you agree that the access token is not needed, i dont know how to set it up
so the access token is not there, is it possible through the appgyver logic or through firebase?

Lastly sorry for this huge response but i wanted you to hear my thoughts so you can let me know if im somewhere wrong.

The access token is created for every file in Firebase storage individually, regardless of the security rules. But the access token is not always required to get the file!

Depending on the security rules:

  • if reads are restricted (e.g. allow read: if request.auth.uid != null; ), the access token is required. The logic is, that only an authorized user can use GET to receive the access token. Firebase storage will respond with metadata including the access token and the user can than with a second GET receive the file. This is what I described in option 3 above.
  • if reads are not restricted (e.g. allow read: if true; ), the access token still exists, but is ignored. The user can GET the file without the token and only needs to use the “storage path” and add the parameter alt=media.

Now i see thank you, one last thing, do you think its an important disadvantage leaving the rules open without authentication (for that bucket) or you think its a bit risky, meaning would you do it in your app?

The decision should depend on, if the files are private or public. In many use cases the “profile pictures” are public (like in this forum :slight_smile: ). Only you know, if that is OK with your users or not.
Nevertheless, in case you decide that the profile pictures are Ok to be public, then only the ‘read-rule’ and not the write rule should be open to everybody.
Technically as the ‘read’-rule can be broken into ‘get’ and ‘list’, you can restrict it a bit more and only open up the ‘get’-rule.

Hi @Dimos_Vamvourellis ,

there is also an additional option, I just realized when testing the methods in again:

Files can be downloaded as well without the access token and the security rule set to “allow read: if request.auth.uid != null;”

  • http request with GET
  • using the ‘storage path’ and the parameter alt=media
  • not using the access token
  • authorizing with the idToken (that is in the Header: Authorization: “Bearer YourIdToken” )

Hey i just saw your response, i will take into consideration everything, thanks again for your help!

Can your share the firebase storage rules that works with “Firebase Storage upload files”? Mine not working. The rule I’m trying to implement is:
rules_version = ‘2’;
service {
match /b/{bucket}/o {
match /{allPaths=} {
allow read: if true;
match /{allPaths=
} {
allow write: if request.auth.uid !< null;

Since this is now blocking my requests - I had to open up my storage as public.

I’m using the HTTP Requests for all firebase auth steps as I was not being able to implement the Firestore database rules. Is this has a role to play?

Any idea what is going on here?

I had the reads and rights as true