setting firebase storage rule to watch for a piece of state in React Firebase

Question

Is it possible to set a firebase storage rule to watch the value of a piece of state?

I am not using firebase auth for my app I just want to use a bucket for file storage. I have a state variable within my app:

  const [state, setState] = useState({
    currentUser: null,
    isAuthed: false
  });

If the user is authenticated the isAuthed value will flip to true. Therefore would it be possible to write a rule set that looks as so:

rules_version = '2';
service firebase.storage {
  match /b/{bucket}/o {
    match /{allPaths=**} {
      allow read, write: if state.isAuthed === true;
    }
  }
}

Answer 1

Your post raises two questions:
How to pass data to storage rules?
How to check for authentication status without using firebase authentication?

?? Passing data to storage rules

File path

You could save your file to the path /userfiles/authenticated/... to signal that the file was uploaded by an authenticated user. In the storage rule, you have access to the path through the match clause:

match /userfiles/authenticated/{allPaths=**} {
  allow read, write: if true;
}

Custom metadata

When uploading a file you can set custom metadata this way:

const metadata = { customMetadata: { isAuthed: true } };
const uploadTask = uploadBytes(storageRef, file, metadata);

Then you can read the metadata in the storage rules:

match /{allPaths=**} {
  allow read, write: if request.resource.metadata.isAuth == true;
}

Custom claims or custom tokens

Custom claims or custom tokens allow assigning data to a user in a secure way, this data is then passed to the storage rule. Custom claims necessitate using firebase authentication, but custom tokens allow you to assign a token from your server without using firebase authentication. To read the data:

match /{allPaths=**} {
  allow read, write: if request.auth.token.isAuth == true;
}

? Checking authentication status

Use custom token

The easiest way to ensure only authenticated users can upload is through custom claims or custom token, as detailed above.

Cryptographic trick

?? For fun only, use at your own risks
Let's roll our own crypto protocol to have a secure way of allowing upload only to authenticated users. NB: this does not prevent read access because we cannot provide metadata.

1- An user requests an upload token from your server:

const crypto = require("crypto");
const SECRET = "S3CRET"; // a secret shared by your server and security rules

// If the user is authenticated, send them this upload token:
const nonce = crypto.randomBytes(9).toString('base64');
const data = `${nonce},${filepath},${SECRET}`
const token = { nonce, hash: crypto.createHash('sha256').update(data).digest('base64') };

2- You pass the upload token to the storage rule via the file path or custom metadata as described above

3- In the storage rule, you validate the hash:

match /{allPaths=**} {
  allow read: if true;
  allow write: if verifyHash(request, allPaths);
}

function verifyHash(request, path){
  let nonce = request.resource.metadata.nonce;
  let hash = request.resource.metadata.hash;
  let hash2 = hashing.sha256(nonce + "," + path + ",S3CRET")).toBase64();
  return hash == hash2; 
}

4- profit: only users who have an upload token can upload a file, as a bonus you also enforce the file path, and you could also enhance the token with a timestamp, and enforce some kind of rate limit.