Firebase - auth.uid是共享密钥吗? [英] Firebase - Is auth.uid a shared secret?
问题描述
google:111413554342829501512 的uid。 在Firebase规则中,您可以执行(读取和/或写入):
。read: root.child('users')。child(auth.uid).child('isAdmin')。val()== true
是否因为使用HTTPS而无法通过嗅探网络来读取消息?这是如何工作的 - UID是由Firebase规则使用的共享密钥?
我看到中的UID firebase:session :: ack 在我的浏览器中的本地存储中进行身份验证。 解析方案知道某人的用户标识不是安全风险。例如,我知道你的堆栈溢出用户ID是4797603.仅凭这一事实,我就有可能在Stack Overflow上找到你。不过,这并不能让我假装自己是罗恩·罗伊斯顿(Ron Royston)。要做到这一点,我需要知道您用来登录的用户名和密码(以及任何其他因素)。
Firebase也是如此。如果您知道我的某个Firebase支持的应用程序中的uid是 google:105913491982570113897 ,那么您不能突然冒充我。唯一的办法是以我身份登录,在这种情况下,您需要知道我的Google凭证。
It appears that when someone authenticates via oAuth, Firebase creates a uid that looks something like google:111413554342829501512, for example.
In Firebase rules, you can do (read and/or write):
".read": "root.child('users').child(auth.uid).child('isAdmin').val() == true"
Is it assumed that I can't read the message by sniffing the network because of the use of HTTPS? Is this how it works - the UID is a shared key used by Firebase rules?
I see that UID in firebase:session::ack in Local Storage in my browser once authenticated.
Knowing someones user id is not a security risk.
For example, I know that your Stack Overflow user id is 4797603. That fact alone allows me to potentially find you on Stack Overflow.
But it does not in any way allow me to pretend that I am Ron Royston. To do the latter I'd need to know the username and password (and any other factor) that you use to sign-in.
The same applies to Firebase. If you know that my uid in some Firebase-backed application is google:105913491982570113897, you cannot suddenly pretend to be me. The only way to do is by signing in as me, which in this case requires you to know my Google credentials.
这篇关于Firebase - auth.uid是共享密钥吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
