Menu
If I used the Firebase user UID as a QR code tag, is this a wise way?
What is the consequences if the UID is known by public?
Will this give any chance for a hacker to modify the user privacy data?
298
As a default Firebase database has no security, it's the development team's responsibility to correctly secure the database prior to it storing real data. In Google Firebase, this is done by requiring authentication and implementing rule-based authorization for each database table.
No its safe to use the uid and recommended, firebase uses auth to authenticate the user and the assign the uid to identify the user across firebase. You will be using uid in your security rules and as well as to identify user info in your db records.
UIDs in firebase are UUIDs as well. UIDs are nowadays indeed UUIDs.
Firebase users have a fixed set of basic properties—a unique ID, a primary email address, a name and a photo URL—stored in the project's user database, that can be updated by the user (iOS, Android, web).
A Firebase's UID is not a security mechanism by itself. Knowing a user's UID is not a security leak.
Knowing a user's UID does not mean you can impersonate that user. I may know that you're Jason Hoch and your StackOverflow user id is 52961000. But I still cannot use that information to authenticate as you at StackOverflow.com.
Say that you have the user's profile information in the Firebase database:
users
uid_52961000
name: 'Jason Hoch'
And you have these corresponding security rules:
"users": {
".read": true,
"$uid": {
".write": "auth.uid === $uid"
}
}
With these settings, I can only write /users/uid_52961000 if I'm authenticated as user uid_52961000. Since authentication requires that I know your username/password or some other (Facebook or other social provider) secret, without those I cannot pretend to be you.
81
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
