0

In the firebase documentation for managing users, it says:

// The user's ID, unique to the Firebase project. Do NOT use
// this value to authenticate with your backend server, if
// you have one. Use User.getToken() instead.

I am currently using the user's UID to get certain pieces of data from my backend. Should I not be doing this? Can someone explain what exactly the issue is?

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
wnba_youngboy
  • 59
  • 6
  • I think it's saying you shouldn't log in a user using only the UUID. It's better practice to use getToken() instead since it's unique to each request and can't be duplicated. This only applies when authenticating via a backend server. – hudson Jan 19 '21 at 01:32
  • That's indeed the reason @hudson. Can you write it up in an answer, so I can upvote it? . And for wnba_youngboy: also see my answer here: https://stackoverflow.com/questions/37221760/firebase-is-auth-uid-a-shared-secret and and Doug's here: https://stackoverflow.com/questions/53220681/can-i-login-into-a-users-account-if-i-just-know-uid-in-firebase – Frank van Puffelen Jan 19 '21 at 01:52

1 Answers1

2

I think it's saying you shouldn't log in a user using only the UUID. It's better practice to use getToken() instead since it's unique to each request and can't be duplicated. This only applies when authenticating via a backend server.

hudson
  • 144
  • 2
  • 7