Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is it ok to show $uid, generated by Firebase Authentication?

Tags:

security

firebase

firebase-authentication

I have Firebase Authentication enabled and after registering new user, I create some other data tables and I distinguish them by $uid, generated by Firebase. Also $uid is being displayed in browser address bar, like:

http://localhost:4200/accounts/6WvgabEHMRbGYxJ0inaCjWHmkif2

Is it safe enough to use it in this way (and is it normal practise)?

like image 525
Julius Dzidzevičius Avatar asked Sep 12 '17 13:09

Julius Dzidzevičius

People also ask

Is Firebase authentication safe?

As a default Firebase database has no security, it's the development team's responsibility to correctly secure the database prior to it storing real data. In Google Firebase, this is done by requiring authentication and implementing rule-based authorization for each database table.

Can I use Firebase only for authentication?

You can use Firebase Authentication to allow users to sign in to your app using one or more sign-in methods, including email address and password sign-in, and federated identity providers such as Google Sign-in and Facebook Login.

Is Firebase authentication encrypted?

Security informationFirebase services encrypt data in transit using HTTPS and logically isolate customer data. In addition, several Firebase services also encrypt their data at rest: Cloud Firestore.

1 Answers

It is completely safe to put the uid in the url.

If you go to your stackoverflow account for example, the numbers you see before your name are your user id. This is your account's url:

https://stackoverflow.com/users/8558489/user370486

I can see your user id of 8558489 in the url before it shows your username, but I can't do anything malicious with that information. Websites like facebook use your username in the url, youtube uses your user id, it's what you prefer. I would rather see your username in the url because it's more meaningful when you look at it but it's up to you! Hope this helps.

EDIT:

It is arguable however that it may be less secure to have the username in the url. If the application allows for the username to be same as the password, or if the username is allowed to be contained in the password, then this makes for an easy bruteforce attack. The uid is a good way to go.

like image 154
Michael Avatar answered Oct 14 '22 16:10

Michael
Sign in to Comment

Related questions

Firebase Crash Logs with URLs redacted
Using Kotlin Coroutines to replace LocalBroadcastManager for Firebase messaging
Deploy to firebase hosting from a firebase function
iOS App Rejected - Guideline 2.3.1 - Performance
Building/archiving for release hangs indefinitely in Xcode 11
How do you retrieve the error code from a Firebase Task<AuthResult> unsuccessful login?
Firebase push notifications custom sound
How to get documents descending by DocumentID?
Firestore collection group query solution?
Android Studio ML kit cannot load OCR module
Firebase android proxy setting
How to handle timeout in queries with Firebase
Public chatroom with radius using Firebase (Suggestions Requested)
NullPointerException when running from Google Play but not from Android Studio
@firebase/database: Exception was thrown by user callback. TypeError: Cannot read property 'myID' of undefined
How to log Firebase Analytics screen name in a SwiftUI app?
Android app is not receiving FCM notification when closed
Firebase Password Validation allowed regex
How to clone an existing Firebase project data to another new project?
How to create Firebase token on server for use with unit tests?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!