Firebase - auth.uid 是共享秘密吗? [英] Firebase - Is auth.uid a shared secret?

问题描述

例如，当有人通过 oAuth 进行身份验证时，Firebase 会创建一个类似于 google:111413554342829501512 的 uid.

It appears that when someone authenticates via oAuth, Firebase creates a uid that looks something like google:111413554342829501512, for example.

在 Firebase 规则中，您可以执行(读取和/或写入):

In Firebase rules, you can do (read and/or write):

".read": "root.child('users').child(auth.uid).child('isAdmin').val() == true"

是否假设我因为使用​​ HTTPS 而无法通过嗅探网络来读取消息?这是它的工作原理吗 - UID 是 Firebase 规则使用的共享密钥?

Is it assumed that I can't read the message by sniffing the network because of the use of HTTPS? Is this how it works - the UID is a shared key used by Firebase rules?

经过身份验证后，我在浏览器的本地存储中的 firebase:session::ack 中看到了 UID.

I see that UID in firebase:session::ack in Local Storage in my browser once authenticated.

推荐答案

知道某人的用户 ID 不会带来安全风险.

Knowing someones user id is not a security risk.

例如，我知道您的 Stack Overflow 用户 ID 是 4797603.仅凭这一事实，我就有可能在 Stack Overflow 上找到您.

For example, I know that your Stack Overflow user id is 4797603. That fact alone allows me to potentially find you on Stack Overflow.

但这绝不能让我假装我是 Ron Royston.要执行后者，我需要知道您用于登录的用户名和密码(以及任何其他因素).

But it does not in any way allow me to pretend that I am Ron Royston. To do the latter I'd need to know the username and password (and any other factor) that you use to sign-in.

这同样适用于 Firebase.如果您知道我在某些 Firebase 支持的应用程序中的 uid 是 google:105913491982570113897，您就不能突然冒充我.Firebase 服务器验证 auth.uid 值是否基于该用户的实际凭据.唯一的方法是以我的身份登录，在这种情况下，您需要知道我的 Google 凭据.

The same applies to Firebase. If you know that my uid in some Firebase-backed application is google:105913491982570113897, you cannot suddenly pretend to be me. The Firebase servers verify that the auth.uid value is based on the actual credentials of that user. The only way to do is by signing in as me, which in this case requires you to know my Google credentials.

这篇关于Firebase - auth.uid 是共享秘密吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！