-1

I have a straightforward next.js website using firebase in which users can save notes about their day. Once they create a note, I redirect them to a page showing the note's content. Since I'm using next.js, I was thinking of using static generation for those pages, but that would mean I cannot authenticate the users accessing the page.

So, would be using the autogenerated document ID in the URL, like /note/uo7darDLMgbjtMBl3FgD, prevent other users from accessing it? I'm worried someone might be able to infer some URLs from knowing the site uses firebase or be able to find all static pages with some form of a brute-force attack.

The data is private but doesn't contain any health or banking information. It's just more or less personal notes about people's day.

Hugo
  • 349
  • 3
  • 6
  • 23
  • Can you update your question with what you are looking for? Either "is it secure" (answer is no apart from the guessing part) or "how random are the generated IDs"? – Dharmaraj Sep 20 '22 at 18:02
  • @Dharmaraj "Would using the autogenerated document id in the URL, like /note/uo7darDLMgbjtMBl3FgD, prevent other users from accessing it?" – Hugo Sep 20 '22 at 18:34
  • 1
    NO. Security rules won't restrict access on your pre-rendered pages. The only "security" you have is the randomness and it's hard to say yes/no whether a person could guess them irrespective of how random they are. – Dharmaraj Sep 20 '22 at 18:39
  • 1
    _"I was thinking of using static generation for those pages, but that would mean I cannot authenticate the users accessing the page"_ - Not necessarily true. You can still have authentication with static generation using [client-side authentication](https://nextjs.org/docs/authentication#authenticating-statically-generated-pages) or Next.js [middleware](https://nextjs.org/docs/advanced-features/middleware). – juliomalves Sep 20 '22 at 22:16
  • @juliomalves I cannot wait for next.js middlewares to work with firebase auth! – Hugo Sep 21 '22 at 12:55

2 Answers2

2

As I understand from your comments, the question is not about security rules, but more about the uniqueness of document IDs.

So, would using the autogenerated document ID in the URL, like /note/uo7darDLMgbjtMBl3FgD, prevent other users from accessing it?

The answer is yes. Why? Because of the built-in generator that Firestore uses to generate document IDs. This mechanism provides random, unique, and highly unpredictable document IDs, which prevents the users from guessing them. But you can see this by yourself if you dig into the (open-source) SDKs. For example, in the Android SDK, there is a function called autoId(). If you open it, you'll see that it clearly generates pure client-side randomness with enough entropy to ensure pure uniqueness. That's the same algorithm for the Javascript SDK.

However, since it's about a web page, and you want that all those /note/... URLs not to be accessible, always make sure to prevent Google from indexing those pages using one of the solutions that exist in the following answers:

Alex Mamo
  • 130,605
  • 17
  • 163
  • 193
0

When it comes to using a unique id to protect user content, the answer can be found on security StackExchange. As other answers have mentioned though, it's important to prevent web crawlers from indexing the urls.

As far as using the firestore autogenerated id for security, this StackOverflow answer shows it is crypo random quality.

Hugo
  • 349
  • 3
  • 6
  • 23