Is it safe to use Firebase UID as QR code tag?

Question

If I used the Firebase user UID as a QR code tag, is this a wise way?

What is the consequences if the UID is known by public?

Will this give any chance for a

Answer 1

A Firebase's UID is not a security mechanism by itself. Knowing a user's UID is not a security leak.

Knowing a user's UID does not mean you can impersonate that user. I may know that you're Jason Hoch and your StackOverflow user id is 52961000. But I still cannot use that information to authenticate as you at StackOverflow.com.

Say that you have the user's profile information in the Firebase database:

users
    uid_52961000
        name: 'Jason Hoch'

And you have these corresponding security rules:

"users": {
    ".read": true,
    "$uid": {
        ".write": "auth.uid === $uid"
    }
}

With these settings, I can only write /users/uid_52961000 if I'm authenticated as user uid_52961000. Since authentication requires that I know your username/password or some other (Facebook or other social provider) secret, without those I cannot pretend to be you.