3

I've been reading Firebase Realtime Database Security Rules guides (https://firebase.google.com/docs/database/security), and I'm a bit confused with regards to should I keep the UID generated by the Firebase Auth (lets say if my App users use Facebook to authenticate themselves) secret? I have this kind of data structure:

  • users
    • UID
      • Lots of nodes of personal data to be read/written by the given user only.

So if some malicious hacker gets hold of some UIDs, will he be able to read/write the personal users' data? As far as I can see, if someone know the UID, he/she can setup a request and pretend to be authenticated as that user? Or am I missing something here?

Many thanks!

KENdi
  • 7,576
  • 2
  • 16
  • 31
Dimitri
  • 2,240
  • 3
  • 21
  • 39
  • 2
    A user's UID is not a secret. It's just an identifier, similar to your ID 7276386 on Stack Overflow. Knowing your ID doesn't allow a user to impersonate you. See my longer explanation here: https://stackoverflow.com/questions/37221760/firebase-is-auth-uid-a-shared-secret/37222341#37222341 – Frank van Puffelen Oct 02 '17 at 14:30

1 Answers1

3

No, the uid can be retrieved under auth.uid in the rules. This is server side. Take this rules for example:

   "users": {
      "$uid": {
        ".read": "$uid === auth.uid", <--------------------------------
          "online": {
            ".read": "auth != null",
            ".write": "$uid === auth.uid"
          },

The arrow indicates the line I mean. It does not matter if you got someone else his UID, because when you try to retrieve data with that rule, it will fail because there is a mismatch. The auth.uid is server side and as far as I know, is pretty good protected. He can change his own UID client side and try to retrieve data, but with security rules you can prevent data exchange.

It is all about the rules you define. When you define the rule at the arrow, you do not have to worry.

J. Doe
  • 12,159
  • 9
  • 60
  • 114