1. 27
    Restrict File Uploading to Firebase Cloud Firestore with Cloud Storage Security Rules
    3m 32s

Restrict File Uploading to Firebase Cloud Firestore with Cloud Storage Security Rules

Jorge Vergara
InstructorJorge Vergara
Share this video with your friends

Social Share Links

Send Tweet

We want to secure our file storage so not just anyone can upload files to our Cloud Firestore.

We'll go through Cloud Storage Security rules to add rules and restrictions to our bucket server-side. You'll notice that the default rules for storage are the same as the database in that they are open to anyone for 30 days.

There are a few restrictions that we will implement: - Only allowing authenticated users to upload files. - Restrict the size of the files we want to upload. - Restrict the type of files we want to upload. (i.e: only accept images or pdfs)

Man: [0:01] Now that our users are able to upload files into our Cloud storage bucket, we want to be able to secure that bucket so only the people we want can upload files. For that, we are going to go into our Firebase console. We're going to click Storage, and here in our Storage bucket, we are going to click on Rules.

[0:26] These are the Cloud storage security rules. By default, when you start a new project, you start in development mode. What they do is that they create a rule that says we are going to have the database open for the first 30 days.

[0:43] There are three changes that we want to do here. First, we want only authenticated users to be able to upload files into our application. We can get that from the request object and we say, if the request.auth is different from null, then let this true. Because here we are saying, if the user is authenticated let them publish.

[1:12] Second, we want to be able to restrict the size of the file the user is uploading. Maybe we are going to allow them only to upload files for 1MB, 5MB and so on. Just as we do in Firestore security rules, here we can also create function. I can say I want to create a function called restrictFileSize().

[1:37] This function is going to take the file size in megabytes as a parameter and it's going to return if the request.resource. If the file that's coming here in the request has the size property and is less than the size in megabytes * 124 * 124.

[2:10] We are multiplying it for 1,024 bytes then 1,024 kilobytes and that's going to give us the size in megabytes. Then we can call this function. From here, we can chain it and say, if request.auth is different from null, if restrictFileSize and we are going to pass a size in megabytes of 5MB.

[2:35] The final thing we want to do is, we want to limit the type of files that the user can upload. We can create another function here. We are going to call this one isAllowedFile(). This one is going to check if the request has the contentType and that matches image/jpeg, then return true.

[2:59] We are going to add all the possible variations that we have here for images and PDFs. Then we can change that request here and say OK. We want the user to be able to read and write if the user is authenticated, is the file is less than 5MB, and if the file has the allowed type of image or PDF.