0

Where the firebase offline data stored, Is that secure? I have some important id like UID which it is available in all user messages (online, offline), and actually in firebase security rule I have to check only that.

I tried to encrypt it, but I faced with decryption in firebase security rule, because there was not any decryption possibilities, so how can I secure the offline data which is available on users phone.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Muhammad
  • 2,572
  • 4
  • 24
  • 46
  • 1
    First off: UIDs are not secrets, so in general you can freely share them with other users of the app. See https://stackoverflow.com/a/37222341 Next up: what do you want to secure it against? I.e. what specific action/abuse are you trying to make impossible by encoding this data? – Frank van Puffelen Feb 21 '20 at 14:40
  • I just want to make a secure `read` and `write`, on the other hand I am using `phoe auth` for registration. Now think user installed the app, so here I need fast login, and there is I cant force the user to login with phone number at any time, so I let them to open the app without login After first registration, and then send messages or read messages. here I have to set `UID` as a user document, then in security rule I check if the user `read` or `write` have the `UID`. Here in offline messages the `UID` is available, and I am concern about that. – Muhammad Feb 21 '20 at 17:54
  • Local writes are not checked against security rules. Once the user comes back online, their local changes are synchronized with the server, and the security rules are enforced there. There is no way for the user to spoof `request.auth.uid` in security rules, as it is constructed from the ID token that is passed along with the write request. – Frank van Puffelen Feb 21 '20 at 18:00
  • Thank you, I know, but I mean I worried about the `UID` when users messages exists in the `cache` because the `UID` is within messages. So if someone find the `UID` They can request to read and write without my app, because on the server I only check `request.auth.uid == userId`. (the `userId` is `uid` which is available in messages) – Muhammad Feb 21 '20 at 18:20
  • 1
    As said, the `request.auth.uid` in security rules cannot be spoofed. Note that it'd be a lot easier to help if you include the [minimal code/data/rules that reproduces what you're asking about](http://stackoverflow.com/help/mcve) in your code, so that we don't have to dig it up in a comment thread, but can just answer your question right away. – Frank van Puffelen Feb 21 '20 at 18:35

1 Answers1

1

First off: UIDs are not secrets, so in general you can freely share them with other users of the app. In fact, that is often necessary to make a meaningful app. See Firebase - Is auth.uid a shared secret?

You'll want to always ensure you check any values written and read against the request.auth.uid value, which is automatically populated by Firebase. This value comes from the ID token that is sent with each request, and cannot be spoofed by a user.

Writes to the local cache are not immediately checked against your database's security rules, since those are only enforced once the write reaches the server. But that typically doesn't matter, since it just means that a local user can spoof the data they write to their own cache. If they write something with a different UID there, it'll be rejected once your server-side security rules see the operation.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807