Is auth.uid a shared secret?

Question

It appears that when someone authenticates via oAuth, Firebase creates a uid that looks something like google:111413554342829501512, for example.

In Firebase rules, you can do (read and/or write):

".read": "root.child('users').child(auth.uid).child('isAdmin').val() == true"

Is it assumed that I can't read the message by sniffing the network because of the use of HTTPS? Is this how it works - the UID is a shared key used by Firebase rules?

I see that UID in firebase:session::ack in Local Storage in my browser once authenticated.

Answer 1

Knowing someones user id is not a security risk.

For example, I know that your Stack Overflow user id is 4797603. That fact alone allows me to potentially find you on Stack Overflow.

But it does not in any way allow me to pretend that I am Ron Royston. To do the latter I'd need to know the username and password (and any other factor) that you use to sign-in.

The same applies to Firebase. If you know that my uid in some Firebase-backed application is google:105913491982570113897, you cannot suddenly pretend to be me. The Firebase servers verify that the auth.uid value is based on the actual credentials of that user. The only way to do is by signing in as me, which in this case requires you to know my Google credentials.

Answer 2

I advise to use custom ID along side with UID. When your app grows, you do not want to share the UID or pass it around. Also when setting firebase-rules, you'll be referring to UID, which should be kept private.

generate a random string for the ID.

And for sensitive user data, set a rule in firestore, to only allow reading of the document if request.auth.uid == user.uid. This will prevent unwanted access. Read up a bit more on firestore rules, might be relevant for your use case.