Firebase Storage Image Paths/Links and Security Rules

Integrations
Resolved

I have a python cloud function that uploads an image to users/{user_id}/images/{some_id}.jpg
However, I am struggling with how to generate a firebase storage security rules compliant way to display the image in app for the authenticated user.

I have added the following part in security rules:
match /users/{userId}/images/{allPaths=**} {
allow read: if request.auth.uid == userId;
allow write: if false;
}

If i use a public url (by using blob.make_public()), it bypasses the firebase security rules.

However, if i simply use the image file's url containing access token and put that in the image path in my flutterlfow app, it still bypasses the security rules. That is, I am able to access one user's files through another user's account.
(I tested this with a new file since once a blob is made public it does not go private apparently)
But if i remove the access token, a the files become inaccessible to even the users that should qualify according the security rules.
And according to my my testing, uploading a file from the app also generates a url containing access token.

In summary, making the blob public makes it accessible to everyone. And not doing so, but storing a url with access token also makes it accessible for anyone with the stored link. What am I doing wrong here?

What have you tried so far?

using public url

using url containing access token

Did you check FlutterFlow's Documentation for this topic?
No
2
3 replies