Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Firebase Database - Risks associated with exposing uid on the client side?

Short question(s): What are the risks/problems if I expose another users' UID on the client side?

My circumstance: I'm building a test android app that needs to be able to let 1) user foo request authorization in order to 2)access user A's private data.

I don't know if it is a "duh" fact, but I just can't seem to find any warning on Firebase about "DON'T EXPOSE UID". I've been skimming on the user-security section and Firebase's chat example demo, and the common approach seems to create a field "share" or "authorized" with the authorized user's uid as true. My question is primarily about the first step. Below is a snippet of my data structure.

 {
      "users" : {
        "uid_of_user_a" : {
          "requests" : {
            "-KeXTQeFJ2gAiaazteO1" : {
              "requestUid" : "uid_of_user_foo",
              "targetUid" : "uid_of_user_a",
              "timeStamp" : 123456
            }
          }
        }
      }
    }

My thinking is this.

  1. The rules for the request field is it is read/write for user with uid_of_user_a, and writable for any authenticated users only if such user push in the targetUid that matches uid_of_user_a.

  2. On the client side, user A has a onChildEventListener attached with a reference to this field. When the client receives a onChildAdded callback, a dialog shows up and asks for confirmation.

  3. If confirmed, the client side retrieves the requester's uid from the request message, and pushes it to the "authorized" field

  4. user A's private data can then be readable by the uid listed in the authorized field.

Problem: Exposing another user's uid to the client is required. This method is comparable to like calling someone on a phone, the caller has to know the receiving end's phone number first. so, without actually giving out phone numbers and email, someone has to know the UID somehow in order to even get a message across and ask to get shareable data, right?.... but, my intuitive approach seems iffy.

I'm new to firebase database and user-authentication in general, so pardon my french :) Thanks in advance to all the gurus out there.

like image 767
Andrew Lam Avatar asked Mar 06 '17 08:03

Andrew Lam


People also ask

Is Firebase UID sensitive?

No its safe to use the uid and recommended, firebase uses auth to authenticate the user and the assign the uid to identify the user across firebase. You will be using uid in your security rules and as well as to identify user info in your db records.

Can Firebase database be hacked?

Short Answer : Yes, But it will be hard than a website.

Is Firebase database safe?

As a default Firebase database has no security, it's the development team's responsibility to correctly secure the database prior to it storing real data. In Google Firebase, this is done by requiring authentication and implementing rule-based authorization for each database table.


1 Answers

A UID is just a string. There's no information in it. The piece of secret information is the user's password (which you can never see) and their temporary authentication token, which expires after an hour. The SDK will automatically refresh that token.

If your security rules are properly set up, there is no problem. If one user knows another user's UID, there's nothing the first user can do to affect the data of the second user if your rules don't allow it. You may want to separate public and private information about users into separate locations so they can have separate security rules, if that's what you need.

If for some reason you still think that the UID needs to be kept secret, you can generate a different UUID or something to identify the user and use that instead, but I don't know what extra security that will provide.

like image 94
Doug Stevenson Avatar answered Oct 03 '22 16:10

Doug Stevenson