Is there a way to determine if a Firebase user's UID is valid?

Question

I am building a server route that I wish to restrict for use only by authenticated users. I plan to send a user.uid with a POST to this route, and I want to validate the UID is one that exists in Firebase. I know I can add UIDs manually in Firebase and check against this data, but is it possible to see what UIDs Firebase authentication is tracking? I think this approach would be better then checking against my own list.

The purpose for this is to ensure that these routes are not accessed with a phony UID (e.g. for malicious purposes).

Answer 1

Validating a UID is not enough to block malicious users: 1) the attackers could pretend to be other users by sending other user's UID, and 2) UID never changes or expires, which means there is no way to enforce the users (or attackers) to re-authenticate.

What you need is to pass the Firebase token from client app to your server, and validate the token before accepting it.

• The token is securely signed by Firebase private key. No other party can issue a valid Firebase token.

• The token is valid for only one hour. Firebase server will check the account status (e.g. password change event) before issuing a new token.

• The token payload contains UID and audience. You should verify audience is your own application.

You can use Firebase Admin SDK or third party libraries to verify a Firebase token. See Firebase doc for details.

Answer 2

You can check whether a specific UID corresponds to a Firebase Authentication user in your project by using the Firebase Admin SDK on your server. From the Firebase documentation on retrieving user data:

admin.auth().getUser(uid)
  .then(function(userRecord) {
    // See the UserRecord reference doc for the contents of userRecord.
    console.log("Successfully fetched user data:", userRecord.toJSON());
  })
  .catch(function(error) {
    console.log("Error fetching user data:", error);
  });