1. 技术文章
  2. Why can't we use getUid() to authenticate with your backend server in firebase authentication

Why can't we use getUid() to authenticate with your backend server in firebase authentication

蓝咒 提交于 2019-12-07 04:56:33

问题


In this code snippet (firebase doc) they have mentioned do not use user.getUid() to authenticate with your backend server. use FirebaseUser.getToken() instead.

FirebaseUser user = FirebaseAuth.getInstance().getCurrentUser();
if (user != null) {
    // Name, email address, and profile photo Url
    String name = user.getDisplayName();
    String email = user.getEmail();
    Uri photoUrl = user.getPhotoUrl();

    // The user's ID, unique to the Firebase project. Do NOT use this value to
    // authenticate with your backend server, if you have one. Use
    // FirebaseUser.getToken() instead.
    String uid = user.getUid();
}


getUid()    A unique user ID, intended as the user's unique key across all providers.   
getToken()  The Firebase authentication token for this session.

My requirement is.

  1. First I will register user with firebase authentication method (Email and password).
  2. I will save String uid = user.getUid(); in my own backend server once registration is successful.
  3. User credit information say user balance is saved in my own backend server as key user.getUid().
  4. User sign-in with Email and password and ask for his balance.
  5. I will get user.getUid() from firebase and match with my records, if match found returns balance to user.

They said getUid() is unique user id but Do NOT use this value to authenticate with your backend server.

Why so? Why can't we use getUid() to authenticate with your backend server??


回答1:


The uid is a unique identifier for the user. So, while it identifies the user, it does not authenticate them.

A simple corollary is that my Stack Overflow ID is 209103. Knowing that, you can identify me. But to prove to Stack Overflow that you are Frank van Puffelen, requires that you know my credentials.

The ID of a user is quite often exposed in the interface. For example, if you click on my profile, you will see my ID. This is necessary for identifying me. If you would also use that same ID to authenticate, everyone who had seen your profile once could impersonate you on the site. Not a good idea when it comes to security.




回答2:


Take your requirements as an example, if you using [GET] https://your-domain.com/api/users/$uid/balance to retrieve user's data, then this API is not secured at all, anybody could get other user's data with a random $uid.

As the comment(firebase doc) recommends, FirebaseUser.getToken() will get a JWT token, you should validate the token with firebase Admin SDK in your backend, and that is the data you could trust.

And the method client-side method should update to user.getIdToken() by now. https://firebase.google.com/docs/auth/admin/verify-id-tokens is the reference for more detail.



来源:https://stackoverflow.com/questions/37964425/why-cant-we-use-getuid-to-authenticate-with-your-backend-server-in-firebase-a

标签
firebase-authentication
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!