Ref to docs and SO follow, but:
If I get a user's uid because Firebase handed it to me after authentication, isn't that good enough to prove that this particular user is in fact authenticated on my site?
this.afAuth.auth.onAuthStateChanged((user) => {
if (user) {
// safe to use the user.uid to populate my users collection
} else {
// user.uid is logged out now
}
});
So that I can add additional information in my users table as:
myUsersCollection/[uid]/the_other_things:"some stuff here"
The post Why can't we use getUid() to authenticate with your backend server in firebase authentication didn't seem to clear this up for me?
Is there a way someone can spoof the onAuthStateChanged event to fool me? If I did get the uid from some other source then of course I wouldn't know for sure. But as long as I correctly use the state changes and trust Firebase auth, how does getToken() help in proving authentication?
Also, is getToken() actually depreciated even though it's still in the docs?
Thanks in advance for the insight!
Firebase uses OAuth2, which is an open-standard authorization protocol that provides applications the ability for secure access. OAuth uses authorization tokens to prove an identity between consumers and service providers.
The Firebase UID is not private and does not guarantee the user's identity. When onAuthStateChanged returns a Firebase user, you know that the user was authorized within the limits set for session longevity. Although unlikely, it is possible that the session state could be compromised. This is why security-sensitive operations require reauthentication and why ID tokens are short lived (typically one hour).