I have a straightforward next.js website using firebase in which users can save notes about their day. Once they create a note, I redirect them to a page showing the note’s content. Since I’m using next.js, I was thinking of using static generation for those pages, but that would mean I cannot authenticate the users accessing the page.
So, would be using the autogenerated document ID in the URL, like /note/uo7darDLMgbjtMBl3FgD
, prevent other users from accessing it?
I’m worried someone might be able to infer some URLs from knowing the site uses firebase or be able to find all static pages with some form of a brute-force attack.
The data is private but doesn’t contain any health or banking information. It’s just more or less personal notes about people’s day.
2
Answers
When it comes to using a unique id to protect user content, the answer can be found on security StackExchange. As other answers have mentioned though, it's important to prevent web crawlers from indexing the urls.
As far as using the firestore autogenerated id for security, this StackOverflow answer shows it is crypo random quality.
As I understand from your comments, the question is not about security rules, but more about the uniqueness of document IDs.
The answer is yes. Why? Because of the built-in generator that Firestore uses to generate document IDs. This mechanism provides random, unique, and highly unpredictable document IDs, which prevents the users from guessing them. But you can see this by yourself if you dig into the (open-source) SDKs. For example, in the Android SDK, there is a function called autoId(). If you open it, you’ll see that it clearly generates pure client-side randomness with enough entropy to ensure pure uniqueness. That’s the same algorithm for the Javascript SDK.
However, since it’s about a web page, and you want that all those
/note/...
URLs not to be accessible, always make sure to prevent Google from indexing those pages using one of the solutions that exist in the following answers: