问题
I've been reading Firebase Realtime Database Security Rules guides (https://firebase.google.com/docs/database/security), and I'm a bit confused with regards to should I keep the UID generated by the Firebase Auth (lets say if my App users use Facebook to authenticate themselves) secret? I have this kind of data structure:
- users
- UID
- Lots of nodes of personal data to be read/written by the given user only.
- UID
So if some malicious hacker gets hold of some UIDs, will he be able to read/write the personal users' data? As far as I can see, if someone know the UID, he/she can setup a request and pretend to be authenticated as that user? Or am I missing something here?
Many thanks!
回答1:
No, the uid can be retrieved under auth.uid in the rules. This is server side. Take this rules for example:
"users": {
"$uid": {
".read": "$uid === auth.uid", <--------------------------------
"online": {
".read": "auth != null",
".write": "$uid === auth.uid"
},
The arrow indicates the line I mean. It does not matter if you got someone else his UID, because when you try to retrieve data with that rule, it will fail because there is a mismatch. The auth.uid is server side and as far as I know, is pretty good protected. He can change his own UID client side and try to retrieve data, but with security rules you can prevent data exchange.
It is all about the rules you define. When you define the rule at the arrow, you do not have to worry.
来源:https://stackoverflow.com/questions/46522614/firebase-security-rules-is-auth-generated-uid-ought-to-be-kept-secret