2

So im using Firebase to authenticate a user and that works fine. In the end I get a uid, which I can uniquely identify a user. I dont want to use any other firebase tools since I dont believe they are suited for my application, so I want to use mongoDB for document storage. I can thus use the uid as the key to the person ( and other ) data.

My question is about security. What is someone gets access to the uid? and since this uid might link to other user's uid, if someone gets access, then they might be able to just call a collection.get on any uid and get potentially user sensitive data. How do I prevent this interaction? Am I overthinking this and mongo somehow handles this? Im not quite sure how to authorize that the current user is the current uid and hes not calling any document retrieval that is not allowed. Thanks

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Eugene Rozental
  • 107
  • 1
  • 6

1 Answers1

3

A UID merely identifies a user. You should never use a UID as an authentication mechanism, but instead require that the user enters the required credentials that then lead them to get the same UID. See also my answer on Firebase - Is auth.uid a shared secret?

If you're accessing MongoDB from a server, you'll typically:

  1. Sign the user in on the client-side app.
  2. Get their ID token and pass that token to your server over a secure connection.
  3. Verify the ID token on the server using a Firebase Admin SDK, or other library.
  4. Then determine what data the user is authorized based on their UID or other properties/claims from their ID token.

This process is pretty well documented in the Firebase docs on verifying ID tokens.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807