使用 Firebase UID 作为二维码标签是否安全? [英] Is it safe to use Firebase UID as QR code tag?
问题描述
如果我使用 Firebase 用户 UID 作为二维码标签,这是一个明智的方法吗?
If I used the Firebase user UID as a QR code tag, is this a wise way?
如果 UID 被公众知道会有什么后果?
What is the consequences if the UID is known by public?
这会给黑客修改用户隐私数据的机会吗?
Will this give any chance for a hacker to modify the user privacy data?
推荐答案
Firebase 的 UID 本身并不是一种安全机制.知道用户的 UID 不是安全漏洞.
知道用户的 UID 并不意味着您可以模拟该用户.我可能知道您是 Jason Hoch,您的 StackOverflow 用户 ID 是 52961000.但我仍然无法使用该信息在 StackOverflow.com 上对您进行身份验证.
Knowing a user's UID does not mean you can impersonate that user. I may know that you're Jason Hoch and your StackOverflow user id is 52961000. But I still cannot use that information to authenticate as you at StackOverflow.com.
假设您在 Firebase 数据库中有用户的个人资料信息:
Say that you have the user's profile information in the Firebase database:
users
uid_52961000
name: 'Jason Hoch'
你有这些相应的安全规则:
And you have these corresponding security rules:
"users": {
".read": true,
"$uid": {
".write": "auth.uid === $uid"
}
}
通过这些设置,如果我被认证为用户 uid_52961000
,我只能写 /users/uid_52961000
.由于身份验证要求我知道您的用户名/密码或其他一些(Facebook 或其他社交提供商)的秘密,没有这些我就无法冒充您.
With these settings, I can only write /users/uid_52961000
if I'm authenticated as user uid_52961000
. Since authentication requires that I know your username/password or some other (Facebook or other social provider) secret, without those I cannot pretend to be you.
这篇关于使用 Firebase UID 作为二维码标签是否安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!