[Feature Request] [AngularFireStorage] Download files with customer-supplied/managed encryption keys

[ksilz]

Version info

Angular: 11.1.2

Firebase: 8.2.6

AngularFire: 6.1.4

Other (e.g. Ionic/Cordova, Node, browser, operating system): Safari 14.0.3 on macOS 11.2

How to reproduce these conditions

I asked about this on Stack Overflow but got no reply in four days. I created a companion request for FlutterFire.

My app stores files with Firebase Storage. I want to encrypt these files conveniently on the server. Firebase Storage uses Google Cloud Storage. And Google Cloud Storage offers two options for this: Customer-supplied encryption keys, where the app provides a key, and customer-managed encryption keys, where the app provides the name of the server-side “encryption service account” in Google cloud storage.

I think my Java back-end that creates my files would be fine: The Firebase Admin SDK uses the Java Cloud Storage library. And there Storage.BlobTargetOption has an encryptionKey() method for the customer-supplied encryption key, and a kmsKeyName() method for the customer-managed encryption keys.

But I don’t see how I can download files with customer-supplied/managed encryption keys in AngularFire. I can't specify a key or key name when creating the "bucket" to access a file (sorry, no link here). And I can't specify these when getting the file's download URL, either.

So I suggest as a feature that Firebase Storage in AngularFire supports both the customer-supplied & customer-managed encryption keys for Google Cloud Storage. As for the implementation of that feature, getting a download URL could be the place to specify either a customer-supplied encryption key or the name of a customer-managed encryption key.

Steps to set up and reproduce

1. Create a file with the Firebase Admin SDK with either a customer-supplied encryption key or a customer-managed encryption key
2. Request download URL for this encrypted file with AngularFire

Expected behavior

You can specify the customer-supplied encryption key or the name of a customer-managed encryption key when when getting the file's download URL.

Actual behavior

You cannot specify the customer-supplied encryption key or the name of a customer-managed encryption key when when getting the file's download URL.

[google-oss-bot]

This issue does not seem to follow the issue template. Make sure you provide all the required information.

[ksilz]

Why are you nagging me, little @google-oss-bot? This is a feature request. And the new issue template states for feature requests that I should "remove the template below and provide an explanation of your feature request". That's what I did, but that ain't right somehow.

So now I formatted my feature request more like a bug report. I hope that's good enough now.

[davideast]

Hey, @ksilz! I recommend filing this request one level above in the Firebase JS SDK repo. AngularFire/FlutterFire wrap the existing functionalities of the core SDK. AFAIK, this is not available in the JS SDK so it would have to be there first. Let me know if I'm missing something and it does exist in the JS SDK and I'll reopen!

[ksilz]

@davideast Done.