Firebase - Is auth.uid a shared secret?
Knowing someones user id is not a security risk.
For example, I know that your Stack Overflow user id is 4797603. That fact alone allows me to potentially find you on Stack Overflow.
But it does not in any way allow me to pretend that I am Ron Royston. To do the latter I'd need to know the username and password (and any other factor) that you use to sign-in.
The same applies to Firebase. If you know that my uid in some Firebase-backed application is google:105913491982570113897
, you cannot suddenly pretend to be me. The Firebase servers verify that the auth.uid
value is based on the actual credentials of that user. The only way to do is by signing in as me, which in this case requires you to know my Google credentials.