I have a chat app where users can send photos in private or group chats. Each private or group chat has a unique chat id: /images/<chat id>/image.jpg

How would one secure the access to this files so that only the chat members can view them? In the Firebase database I have a node with a structure like: /members/<chat id>/member1: true.

Is this actually necessary, since the links are only posted to the corressponding chats? Can any authed user actually browse through the files saved in the Firebase storage? Or is this prevented by design?

The eternal question. It's discussed a few places (Google Group, Storage Docs, Github Gist), but the TL;DR is: at present, there's no way to read data from one service in the Rules of another. For services, you can do one of two things:

• Convey group information in a custom token
• Convey group information in custom metadata in the service

One example of this:

// Allow reads if the group ID in your token matches the file metadata's `owner` property
// Allow writes if the group ID is in the user's custom token
match /files/{groupId}/{fileName} {
  allow read: if resource.metadata.owner == request.auth.token.groupId;
  allow write: if request.auth.token.groupId == groupId;
}

You can now access the Firebase Firestore database from your Firebase Storage secturity rules as announced here. https://firebase.blog/posts/2022/09/announcing-cross-service-security-rules