19

Short question(s): What are the risks/problems if I expose another users' UID on the client side?

My circumstance: I'm building a test android app that needs to be able to let 1) user foo request authorization in order to 2)access user A's private data.

I don't know if it is a "duh" fact, but I just can't seem to find any warning on Firebase about "DON'T EXPOSE UID". I've been skimming on the user-security section and Firebase's chat example demo, and the common approach seems to create a field "share" or "authorized" with the authorized user's uid as true. My question is primarily about the first step. Below is a snippet of my data structure.

 {
      "users" : {
        "uid_of_user_a" : {
          "requests" : {
            "-KeXTQeFJ2gAiaazteO1" : {
              "requestUid" : "uid_of_user_foo",
              "targetUid" : "uid_of_user_a",
              "timeStamp" : 123456
            }
          }
        }
      }
    }

My thinking is this.

  1. The rules for the request field is it is read/write for user with uid_of_user_a, and writable for any authenticated users only if such user push in the targetUid that matches uid_of_user_a.

  2. On the client side, user A has a onChildEventListener attached with a reference to this field. When the client receives a onChildAdded callback, a dialog shows up and asks for confirmation.

  3. If confirmed, the client side retrieves the requester's uid from the request message, and pushes it to the "authorized" field

  4. user A's private data can then be readable by the uid listed in the authorized field.

Problem: Exposing another user's uid to the client is required. This method is comparable to like calling someone on a phone, the caller has to know the receiving end's phone number first. so, without actually giving out phone numbers and email, someone has to know the UID somehow in order to even get a message across and ask to get shareable data, right?.... but, my intuitive approach seems iffy.

I'm new to firebase database and user-authentication in general, so pardon my french :) Thanks in advance to all the gurus out there.

Andrew Lam
  • 1,371
  • 17
  • 35

1 Answers1

36

A UID is just a string. There's no information in it. The piece of secret information is the user's password (which you can never see) and their temporary authentication token, which expires after an hour. The SDK will automatically refresh that token.

If your security rules are properly set up, there is no problem. If one user knows another user's UID, there's nothing the first user can do to affect the data of the second user if your rules don't allow it. You may want to separate public and private information about users into separate locations so they can have separate security rules, if that's what you need.

If for some reason you still think that the UID needs to be kept secret, you can generate a different UUID or something to identify the user and use that instead, but I don't know what extra security that will provide.

Community
  • 1
  • 1
Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
  • 3
    Thank you for your reply, I feel much relieved now. As a beginneer I have my reservations about uid because Firebase database standard practice uses "$uid === auth.uid" as the rule for allowing user to access their private data. My intuition (without knowing how auth actually works) was would an user be able to spoof using uids. Is using UID for authorization between users a standard practice? – Andrew Lam Mar 06 '17 at 19:04
  • 4
    That rule ensures that only *fully-authenticated* users with that UID can access the data there. It can't be spoofed - it only works with apps using Firebase Authentication where the user has logged in. It's not just a parameter to some web API. – Doug Stevenson Mar 06 '17 at 20:31