stackoom
  简体   繁体   中英

What are the uniqueness guarantees of names generated with Firebase's push()/childByAutoID?

 原文  2014-01-07 22:30:05       javascript/ ios/ security/ firebase

Question

I'd like to use Firebase to make publicly-readable data whose location is difficult to guess. So, to give someone access to the data stored in "element [element ID = X]", I'd like to just send them "X", instead of sending them "X" along with a security token crafted to give them access to the element. Firebase's push() and childByAutoID seem like a natural fit: I can grant public read access to all individual elements, but deny public listing. My code will be blissfully free of token and random number generation. The automatically generated ID is supposed to be unique, and thus should be difficult to guess.

From looking at Firebase.js , it appears the first 8 characters of the automatically generated ID are based on the current timestamp, and the next 12 characters are randomly generated using Math.random() . I assume that the iOS framework does the same thing, and although I can't see the code, the library links to both SecRandomCopyBytes and arc4random .

For my purposes, this looks good enough, but has anyone seen guidance from Firebase on whether we can count on this behavior? I would hate to build code that assumes these names are relatively strong random strings and then have that assumption violated when I upgraded to a newer version of Firebase.

1 answers

solution1
 4 ACCPTED  2014-01-08 17:23:20

The purpose of the auto-generated IDs provided by Firebase is to allow the developer to create a chronologically ordered list in a distributed manner. It relies on Math.random and the timestamp to generate an ID unique to that client.

However, if you're going to use the auto IDs as security keys, it may not be the best idea depending on how secure you want your system to be. Math.random is not a cryptographically secure random number generator and since push() relies on it, the IDs generated by it aren't either.

The general concept of giving a user access to some data in Firebase if they know the key is a good one though. We have an example of using this type of security rule, but instead of using push IDs, we use a SHA-256 hash of the content itself (in this particular case, they are images). Hashing the content to generate the keys is more secure than relying on push() IDs.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Are there any guarantees for the order of Firebase events What guarantees exist in asynchronous JavaScript? What are randomly generated class names called? What is the guarantee of uniqueness of shortid? How to use key generated by firebase database push method in write operation? How to traverse through the auto key generated by firebase push() in React Native? Object push Firebase, how to remove key names from pushed items To what extent should I enforce a DOM element's ID's uniqueness? Check For Uniqueness in Array, Push To Array if Unique Firebase saving auto generated id to it's collection when creating collection
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM