0

I am working on creating some users in my firebase app and I would like to provide custom user ids as they are authenticating with an external service.

For example my user ID generation is consisted by 2 parts like so: 

AuthService:AuthServiceUsername

That can look in reality like: 

Instragram:dimitrioskanellopoulos

But I dont like to have this string used as a user id so I encode it to base64 like so:

  const uid = Buffer.from(`instagram:${serviceUserID}`).toString('base64');

Is there any risk for me doing that ? Is base64 ok to be used also in regards to query params?

Jimmy Kane
  • 16,223
  • 11
  • 86
  • 117
  • 1
    Base64 is kind of basic encoding that anyone can understand, What i do is use node bcrypt or use multi base64 Encoding base64 2-3 times – Sohan May 23 '19 at 11:03
  • 1
    "But I don't like to have this string used as a user id" Why not? – Frank van Puffelen May 23 '19 at 13:25
  • 2
    The Firebase Authentication UID is **not** a secret, but merely an identifier. It is explicitly meant to be used to identify that user. See https://stackoverflow.com/questions/37221760/firebase-is-auth-uid-a-shared-secret, https://stackoverflow.com/questions/53220681/can-i-login-into-a-users-account-if-i-just-know-uid-in-firebase – Frank van Puffelen May 23 '19 at 13:27
  • @FrankvanPuffelen I do understand that but I would like to avoid a string from a service that could be not compatible with the UID that firestore accepts. Its an edge case but that is dependant then to the service I authenticate against and that is not on my hands. – Jimmy Kane May 23 '19 at 15:03
  • Firestore document IDs are quite flexible on what's allowed and not. See https://firebase.google.com/docs/firestore/quotas#limits. But base64 would actually not be safe, since it contains `/`, which is disallowed in Firestore document IDs. – Frank van Puffelen May 23 '19 at 17:11
  • Actually that is what I was looking for – Jimmy Kane May 23 '19 at 18:47
  • Any suggested way todo this ? – Jimmy Kane May 23 '19 at 18:56
  • @Sohan do you use this for firebase IDS? – Jimmy Kane May 24 '19 at 07:11
  • I have not used this,but unless firebase store is fine with it this should work – Sohan May 24 '19 at 07:18
  • @Jimmy Also I did some search, it is okay even if we do not encode userId because one can login only with credentials using flogin form – Sohan May 24 '19 at 07:26
  • @Sohan but Frank said that that trailing slash that base64 creates sometimes is not legal for IDS – Jimmy Kane May 24 '19 at 07:28
  • 1
    @Jimmy That is what i said in my earlier comment, do you really need encoding? – Sohan May 24 '19 at 08:16
  • @Sohan yes because I cannot trust the service uid that provides – Jimmy Kane May 24 '19 at 08:48
  • @Jimmy How about using hashing ? – Sohan May 24 '19 at 08:58
  • @Sohan lets follow up here. https://stackoverflow.com/questions/56289120/how-to-create-a-firestore-safe-document-id Opened a new question that describes better my problem – Jimmy Kane May 24 '19 at 09:05
  • @JimmyKane like what Sohan asked, why not use hash e.g. SHA256? – Jek Feb 13 '20 at 16:13
  • @choopage-JekBao CPU costy – Jimmy Kane Feb 14 '20 at 07:05

1 Answers1

3

Firestore document IDs are quite flexible on what's allowed and not. See https://firebase.google.com/docs/firestore/quotas#limits.

But base64 would actually not be safe, since it contains /, which is disallowed in Firestore document IDs

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807