I have created an quiz app with android studio and you can create an account and Log In. For the testing i have created multiple accounts and now i deleted them from the firestore. I can still Log In and perform actions with the old users that i have deleted from firestore. Why is this happening?
Assuming that you mean that Firebase users can still access data in Firestore after you deleted their account, that may be working as expected if you're trying it right after the account has been deleted.
Firebase auth ID tokens are valid for an hour, and deleting a user does not revoke their existing ID token. See https://firebase.google.com/docs/auth/admin/manage-sessions#detect_id_token_revocation for a longer explanation, and ways to deal with it. The latter typically involves flagging the deleted user account in the database, and then also checking against that record in your security rules.
A final note: consider disabling the account instead of deleting it. This prevents the user from creating a new account with the same credentials.
Related
I have one Firebase Authentication account and log in to multiple devices with the same account. the problem is that if I delete my account from one device, I need to delete the account from all devices. How can I do that?
The code to delete the account:
mAuth.signOut()
mAuth.currentUser?.delete()
What you encounter is the expected behavior. There are some cases, such as yours where the getCurrentUser() method will return a non-null FirebaseUser object, but that doesn't mean that the underlying token is still valid. This typically happens, for example, if the user deletes the FirebaseUser on a device and the local token on the other devices has not been refreshed. This is exactly what you are experiencing. In this case, you'll get a valid FirebaseUser object, but subsequent calls to authenticated resources, such as attempts to refresh the token, will fail since the token is not valid anymore.
To overcome this situation, I recommend you read my answer from the following post:
Deleted user has access to Firebase Firestore
Furthermore, if you delete a FirebaseUser using:
mAuth.currentUser?.delete()
There is no need to call:
mAuth.signOut()
Because delete() method:
Deletes the user record from your Firebase project's database. If the operation is successful, the user will be signed out.
Firebase Authentication is based on ID tokens, which are valid for an hour after they are minted.
So when you delete the user on one device, the tokens on other devices may stll be valid for up to an hour. You don't really need to delete the account on all devices, but it may indeed take up to an hour before the other devices also show the user as logged out.
If that is unwanted in your use-case, you may want to read the documentation on managing user sessions. You could revoke the ID tokens (if you know them) as shown there, or (more easily) signal that the UID has been deleted to all clients in a database.
This question already has an answer here:
Firebase deleted user is able to change data. How can I fix this without modifying application code?
(1 answer)
Closed 3 years ago.
The user.uid is still coming (with the help of this uid != null, I am assuming the user is logged in).
I also tried addAuthStateListener(mAuthListener), but I am still getting UID of the previously deleted user.
Without using database track of banned or deleted user ids is it possible to remove that user instantly.
When a user signs in to Firebase, they get an access/ID token that is valid for an hour. This ID token cannot be revoked, as that would require Firebase to perform a quite expensive check on each call.
So when you delete the user's account from the console, they may retain access for up to an hour, at which point they will need to refresh their token, which will fail (since you deleted their account). So their access will automatically disappear within an hour.
A few points:
If you want to lock the user out of the application before their ID token expires, you'll want to keep an additional list of banned UIDs somewhere. For example, if you're using a Firebase database, you can keep a global list of bannedUIDs, and add the UID to that. Then in your server-side security rules, you can check if the UID who's trying to access the database isn't banned.
If you delete the user's account, they can just sign up again and create a new account. For this reason it is typically better to disable their account, which accomplishes the same (they won't be able to get a new ID token after their current one expires), but prevents them from signing up again with the same credentials.
Also see:
the video Five tips to secure your app
User keeps login even if I delete the account
Why firebase user still signed in after I deleted it from firebase dashboard
Does deleting account from Firebase automatically logs user out?
User authentication persisted after having cancelled the user from console.firebase.google.com
Firebase user deleted but still logged in on device
I am working with Cloud Firestore and I came to the question on the top. I will set you an example
The user installs the app and log's in with Google. I save the log-in information in the device storage so the user does not have to log in every time. It is also stored in Firestore with a generated ID.
The user plays with the app and one day uninstalls it. This erases the log-in information in the async storage, losing the generated ID that granted him access to the app.
One day he decides to install it again, let's say in another device to make it harder. He had various information in his profile or maybe an active payment plan he forgot to delete and he wants to do it now. He clicks on google log in since it was how he did it, but now the profile information is gone because another account was created with another generated ID.
How to avoid this? I want the app to remember the user account in some way. The user account would be stored in my Firestore.
According to the docs:
For Android and iOS, offline persistence is enabled by default.
Meaning that by default, Firestore creates a locate copy of the database on the client's device.
User installs app and log's in with Google.
So I assume you have already implemented Firebase authentication with Google.
It is also stored in Firestore with a generated ID.
Without seeing that "generated ID", it's hard to say if it's the correct ID or not. The idea behind this authentication is to sign-in your users with Firebase, no matter what the provider is. Furthermore, if you want to save user data in Firestore, store it into a document whose id is the user ID that comes from the authentication process. In this way, doesn't matter what the provider is, you'll always store the data under a document whose key will never change.
User plays with the app and one day uninstalls it. This erases the log-in information in the async storage, losing the generated ID that granted him access to the app.
It's true that if the user uninstalls the app, all the cache is wiped out from the storage, including the log-in information. That being said, bear in mind that you should never store such information on the disk. When using Firebase authentication, there is no log-in information that needs to be stored. If you didn't still implement it, I recommend you start with the docs.
One day he decides to install it again, let's say in another device to make it harder. He had various information in his profile or maybe an active payment plan he forgot to delete and he wants to do it now. He clicks on google log in since it was how he did it, but now the profile information is gone because another account was created with another generated ID.
This is only happening if you are using a type of ID other than the one explained above. If you had used the ID that comes from the authentication process, the second time the user tries to sing-in, even if using a different device, he'll be recognized as the same user with the same data. In this way, the user will be able to access the same document with the same data and recreate the local cache.
Im not sure in which framework you are working in to create the app, but firebase sdk has sign in along with create user with email & password. Needed data could be saved to user's document on Firestore.
This question already has an answer here:
Firebase deleted user is able to change data. How can I fix this without modifying application code?
(1 answer)
Closed 3 years ago.
The user.uid is still coming (with the help of this uid != null, I am assuming the user is logged in).
I also tried addAuthStateListener(mAuthListener), but I am still getting UID of the previously deleted user.
Without using database track of banned or deleted user ids is it possible to remove that user instantly.
When a user signs in to Firebase, they get an access/ID token that is valid for an hour. This ID token cannot be revoked, as that would require Firebase to perform a quite expensive check on each call.
So when you delete the user's account from the console, they may retain access for up to an hour, at which point they will need to refresh their token, which will fail (since you deleted their account). So their access will automatically disappear within an hour.
A few points:
If you want to lock the user out of the application before their ID token expires, you'll want to keep an additional list of banned UIDs somewhere. For example, if you're using a Firebase database, you can keep a global list of bannedUIDs, and add the UID to that. Then in your server-side security rules, you can check if the UID who's trying to access the database isn't banned.
If you delete the user's account, they can just sign up again and create a new account. For this reason it is typically better to disable their account, which accomplishes the same (they won't be able to get a new ID token after their current one expires), but prevents them from signing up again with the same credentials.
Also see:
the video Five tips to secure your app
User keeps login even if I delete the account
Why firebase user still signed in after I deleted it from firebase dashboard
Does deleting account from Firebase automatically logs user out?
User authentication persisted after having cancelled the user from console.firebase.google.com
Firebase user deleted but still logged in on device
I'm developing an Android app which needs to be able to manage the user list. Problem is, Firebase doesn't seem to offer much support for this kind of scenario, as opposed to social apps where users are self-registering and managing their own accounts. I could create users in the Firebase console, but this is not enough.
The users are to be registered by email and password, some users must have admin permissions and be allowed to edit the user list, I can enforce this using security rules. However, the users listed in the Firebase console don't have any place to put extra information for the permissions, so this info must go in the main database. Editing the database tree in console is not reasonable, hence this must be done in the app.
First problem is, there is no way to get the user list from the app. As a workaround, I can create users only in the app using createUserWithEmailAndPassword() function. Then, I can save the extra user info in the main database, keeping them in sync.
Minor problems aside (such as newly created user getting automatically signed in, signing out the admin user), the function starts to fail and the error logs indicate "TOO_MANY_ATTEMPTS_TRY_LATER". This is not acceptable.
Any suggestions will be appreciated. Thank you.
The users are to be registered by email and password, some users must
have admin permissions and be allowed to edit the user list, I can
enforce this using security rules. However, the users listed in the
Firebase console don't have any place to put extra information for the
permissions, so this info must go in the main database
You should a separate worflow for admins which would add the admin UID to a DB node "admins".
Then whenever you need to check if your user is an admin using rules you can uses something like
".write": "root.child('admins/'+$user_id).exists()"
Creating and login in other users seems pretty unintuitive to me, I would suggest using dynamic links for invites and let the invited users, install the app, create their own users and sign in themselves. You can then use the dynamic link info to see whoever invited them and act accordingly.