Firebase config troubleshooting

[ArcCal]

What happened?

Hi team,

I’ve noticed that the Firebase configuration values set in .env (like FIREBASE_API_KEY, FIREBASE_AUTH_DOMAIN, etc.) don’t seem to affect upload permissions to Firebase Storage. File upload and delete operations in LibreChat only work when the Firebase Storage security rules are set to the most permissive level, e.g.:

allow read, write: if true;

If I set stricter rules (for example, only allowing authenticated users or even just blocking anonymous access), file uploads start failing. It appears that LibreChat doesn’t use the Firebase credentials from the .env file to authenticate uploads in a way that matches stricter Firebase rules.

Expected:
I would expect files to upload/delete successfully when the .env Firebase config is properly set and the corresponding authentication in storage rules is required.

Actual:
Uploads/deletes fail unless the rules are fully open to everyone.

Steps to reproduce:

1. Configure .env with correct Firebase credentials.
2. Restrict your Firebase Storage rules (e.g., allow write: if request.auth != null;).
3. Try to upload a file — it fails.
4. Set rules to open permissions — now upload works.

Could you clarify if there’s a recommended way to secure Firebase Storage with LibreChat and have authentication work as expected using .env?
If not, please consider enhancing the Firebase integration to support secure, non-public access!

Thanks!

Version Information

docker images | grep librechat
ghcr.io/danny-avila/librechat-api latest 48bc63b4f14f 4 days ago 1.08GB
ghcr.io/danny-avila/librechat-rag-api-dev-lite latest e78acb5d033c 6 days ago 1.28GB

Steps to Reproduce

1. Set up Firebase and create a Storage bucket as described in the LibreChat documentation.
2. Add your Firebase configuration values (FIREBASE_API_KEY, FIREBASE_AUTH_DOMAIN, FIREBASE_PROJECT_ID, etc.) to the .env file.
3. In the Firebase console, set your storage rules to a restricted configuration, such as:

   allow read, write: if request.auth != null;
   

   or

   allow write: if request.auth != null && request.auth.uid == userId;
   

4. Restart LibreChat and try to upload a file (e.g. image) using the file upload functionality.
5. Observe that the file upload fails (permission denied).
6. Change your Firebase storage rules to the most permissive setting:

   allow read, write: if true;
   

7. Try uploading a file again.
8. Observe that the file upload now succeeds.

What browsers are you seeing the problem on?

No response

Relevant log output

none

Screenshots

none

Code of Conduct

• I agree to follow this project's Code of Conduct

[danny-avila]

Please read our documentation on Firebase:

https://www.librechat.ai/docs/configuration/cdn/firebase

We provide an example rule that balances accessibility with security:

rules_version = '2';
 
service firebase.storage {
  match /b/{bucket}/o {
    match /images/{userId}/{fileName} {
      allow read, write: if true;
    }
  }
}

This rule restricts access to only files within the specified path structure (/images/{userId}/{fileName}). While it uses "if true" to allow read/write access, the security comes from the path specificity - users would need to know the exact userId and fileName to access a file. This is similar to how platforms like Facebook handle resource URLs, where the URL itself contains enough entropy to make random access difficult even without additional authentication.