0

I am familiar with this snippet of code in firebase rule

"AuthenticatedUsers":{
              "$uid":{
              ".read":"auth.uid===$uid",
              ".write": "auth.uid === $uid"
                }

if I want to save a message in two different roots, and these roots can only be accessed (read/write) by two users. how can I do the snippet of code above, without sharing the uId given by firebase with the two users previously??

I have to save the uId of the users in some root that has this rule:

".write": "auth !== null",
".read": "auth !== null"

but won't that make that some root is vulnerable to be hacked? steal or alter this uid? would that harm the owner of the uid in someway ?

Anas
  • 43
  • 1
  • 1
  • 10
  • 1
    There's nothing vulnerable about this. In short, I know your stackoverflow ID but I cannot post anything from your account. Also checkout: [Is Firebase UID a shared secret?](https://stackoverflow.com/questions/37221760/firebase-is-auth-uid-a-shared-secret) Your current rules ensure that a user can read write his own data only. So one would need that user's email/password or their actual user account to get access to the data. – Dharmaraj Jan 10 '22 at 18:53
  • so there is no harm if i save the uids in a root where anyone authenticated can see it, and then use some uid to protect another root (messages example )? @Dharmaraj – Anas Jan 10 '22 at 19:06
  • Yes, just make sure that no one can delete or write them. Though what's the use case of making all UIDs public? And yes, `AuthenticatedUsers/userId1` can be read by user with UID `userId1` only when the user is logged in via their login method. – Dharmaraj Jan 10 '22 at 19:08
  • i don't think so, i need every user to save his id in general root, then i want user2 to take user uid and save it in user2 root to give him the access only to user1, if the uid is important how can i protect the general root? if the it is not that important, so the general root does need to be protected. @Dharmaraj – Anas Jan 10 '22 at 19:43

0 Answers0