使用 Firebase UID 作为二维码标签是否安全? [英] Is it safe to use Firebase UID as QR code tag?

问题描述

如果我使用 Firebase 用户 UID 作为二维码标签，这是一个明智的方法吗?

If I used the Firebase user UID as a QR code tag, is this a wise way?

如果 UID 被公众知道会有什么后果?

What is the consequences if the UID is known by public?

这会给黑客修改用户隐私数据的机会吗?

Will this give any chance for a hacker to modify the user privacy data?

推荐答案

Firebase 的 UID 本身并不是一种安全机制.知道用户的 UID 不是安全漏洞.

知道用户的 UID 并不意味着您可以模拟该用户.我可能知道您是 Jason Hoch，您的 StackOverflow 用户 ID 是 52961000.但我仍然无法使用该信息在 StackOverflow.com 上对您进行身份验证.

Knowing a user's UID does not mean you can impersonate that user. I may know that you're Jason Hoch and your StackOverflow user id is 52961000. But I still cannot use that information to authenticate as you at StackOverflow.com.

假设您在 Firebase 数据库中有用户的个人资料信息:

Say that you have the user's profile information in the Firebase database:

users
    uid_52961000
        name: 'Jason Hoch'

你有这些相应的安全规则:

And you have these corresponding security rules:

"users": {
    ".read": true,
    "$uid": {
        ".write": "auth.uid === $uid"
    }
}

通过这些设置，如果我被认证为用户 uid_52961000，我只能写 /users/uid_52961000.由于身份验证要求我知道您的用户名/密码或其他一些(Facebook 或其他社交提供商)的秘密，没有这些我就无法冒充您.

With these settings, I can only write /users/uid_52961000 if I'm authenticated as user uid_52961000. Since authentication requires that I know your username/password or some other (Facebook or other social provider) secret, without those I cannot pretend to be you.

这篇关于使用 Firebase UID 作为二维码标签是否安全?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！