I have a python cloud function that uploads an image to users/{user_id}/images/{some_id}.jpg
However, I am struggling with how to generate a firebase storage security rules compliant way to display the image in app for the authenticated user.
I have added the following part in security rules:
match /users/{userId}/images/{allPaths=**} {
allow read: if request.auth.uid == userId;
allow write: if false;
}
If i use a public url (by using blob.make_public()), it bypasses the firebase security rules.
However, if i simply use the image file's url containing access token and put that in the image path in my flutterlfow app, it still bypasses the security rules. That is, I am able to access one user's files through another user's account.
(I tested this with a new file since once a blob is made public it does not go private apparently)
But if i remove the access token, a the files become inaccessible to even the users that should qualify according the security rules.
And according to my my testing, uploading a file from the app also generates a url containing access token.
In summary, making the blob public makes it accessible to everyone. And not doing so, but storing a url with access token also makes it accessible for anyone with the stored link. What am I doing wrong here?