In my firebase app, a users feed is populated with posts, however the usernames of the posts are displayed. However, the username is inside of the snapshot, but there is no place where it is displayed in the app. Is it secure to have the username transferred to the client's device if they are not supposed to be able to access it? Would it be better to remove the username from the snapshot in the posts node and instead create a separate node which has the username for each post, accessing the username each time it is needed so that when a users feed is populated the username is not sent in the snapshot?
Asked
Active
Viewed 57 times
1 Answers
2
Any data that is transferred to the device, can be accessed by the user on that device. If you want certain data to be non-accessible, don't transfer it to the client.
A common way to do this is to make an extra node that contains only the information that is publicly readable. For some example of this, see:
Frank van Puffelen
- 565,676
- 79
- 828
- 807
-
there is one problem. At one point of another, I need the ID of the user to add a message to it; however I still do not want the user to have access to the user ID of the poster ? – Raim Khalil Feb 15 '18 at 00:45
-
That's a different misconception: UIDs are also not secrets. E.g. your stack overflow ID is 9161528, mine is 209103. Knowing this doesn't allow either of us to impersonate each other: that's only possible if we know each other's credentials. See https://stackoverflow.com/questions/37221760/firebase-is-auth-uid-a-shared-secret – Frank van Puffelen Feb 15 '18 at 04:31
-
the problem is however , repeated user ID's indicated the same person posted posts multiple times . I think the work around forthis is similar to what you suggested , storing the likes / messages in a seperate part of database for likes and messages only related to the post. Thus , the layer of anonymousity is enforced. – Raim Khalil Feb 15 '18 at 04:41