I have used Anonymous sign-in for my users. I want my users to be able to sign out if they want (by clicking on a button). Now, I want to delete the account when the user signs out. That's why, I want to use
FirebaseUser user = FirebaseAuth.getInstance().getCurrentUser();
user.delete();
But, in the Firebase documentation, it is mentioned that if a user is signed in for a long time, then we must reauthenticate the user before deleting, otherwise it may throw an exception. Now, the question arises, how can I reauthenticate an anonymous user? I am a beginner and this is my first project where I am using Firebase. My concepts maybe wrong. Please help.
The requirement to re-authenticate users before sensitive operations (such as deleting their account) only applies for providers that require the user to enter credentials. For anonymous users, there is no need to reauthenticate them before deleting their account.
Related
I have one Firebase Authentication account and log in to multiple devices with the same account. the problem is that if I delete my account from one device, I need to delete the account from all devices. How can I do that?
The code to delete the account:
mAuth.signOut()
mAuth.currentUser?.delete()
What you encounter is the expected behavior. There are some cases, such as yours where the getCurrentUser() method will return a non-null FirebaseUser object, but that doesn't mean that the underlying token is still valid. This typically happens, for example, if the user deletes the FirebaseUser on a device and the local token on the other devices has not been refreshed. This is exactly what you are experiencing. In this case, you'll get a valid FirebaseUser object, but subsequent calls to authenticated resources, such as attempts to refresh the token, will fail since the token is not valid anymore.
To overcome this situation, I recommend you read my answer from the following post:
Deleted user has access to Firebase Firestore
Furthermore, if you delete a FirebaseUser using:
mAuth.currentUser?.delete()
There is no need to call:
mAuth.signOut()
Because delete() method:
Deletes the user record from your Firebase project's database. If the operation is successful, the user will be signed out.
Firebase Authentication is based on ID tokens, which are valid for an hour after they are minted.
So when you delete the user on one device, the tokens on other devices may stll be valid for up to an hour. You don't really need to delete the account on all devices, but it may indeed take up to an hour before the other devices also show the user as logged out.
If that is unwanted in your use-case, you may want to read the documentation on managing user sessions. You could revoke the ID tokens (if you know them) as shown there, or (more easily) signal that the UID has been deleted to all clients in a database.
This question already has an answer here:
Firebase deleted user is able to change data. How can I fix this without modifying application code?
(1 answer)
Closed 3 years ago.
The user.uid is still coming (with the help of this uid != null, I am assuming the user is logged in).
I also tried addAuthStateListener(mAuthListener), but I am still getting UID of the previously deleted user.
Without using database track of banned or deleted user ids is it possible to remove that user instantly.
When a user signs in to Firebase, they get an access/ID token that is valid for an hour. This ID token cannot be revoked, as that would require Firebase to perform a quite expensive check on each call.
So when you delete the user's account from the console, they may retain access for up to an hour, at which point they will need to refresh their token, which will fail (since you deleted their account). So their access will automatically disappear within an hour.
A few points:
If you want to lock the user out of the application before their ID token expires, you'll want to keep an additional list of banned UIDs somewhere. For example, if you're using a Firebase database, you can keep a global list of bannedUIDs, and add the UID to that. Then in your server-side security rules, you can check if the UID who's trying to access the database isn't banned.
If you delete the user's account, they can just sign up again and create a new account. For this reason it is typically better to disable their account, which accomplishes the same (they won't be able to get a new ID token after their current one expires), but prevents them from signing up again with the same credentials.
Also see:
the video Five tips to secure your app
User keeps login even if I delete the account
Why firebase user still signed in after I deleted it from firebase dashboard
Does deleting account from Firebase automatically logs user out?
User authentication persisted after having cancelled the user from console.firebase.google.com
Firebase user deleted but still logged in on device
I have created an quiz app with android studio and you can create an account and Log In. For the testing i have created multiple accounts and now i deleted them from the firestore. I can still Log In and perform actions with the old users that i have deleted from firestore. Why is this happening?
Assuming that you mean that Firebase users can still access data in Firestore after you deleted their account, that may be working as expected if you're trying it right after the account has been deleted.
Firebase auth ID tokens are valid for an hour, and deleting a user does not revoke their existing ID token. See https://firebase.google.com/docs/auth/admin/manage-sessions#detect_id_token_revocation for a longer explanation, and ways to deal with it. The latter typically involves flagging the deleted user account in the database, and then also checking against that record in your security rules.
A final note: consider disabling the account instead of deleting it. This prevents the user from creating a new account with the same credentials.
This question already has an answer here:
Firebase deleted user is able to change data. How can I fix this without modifying application code?
(1 answer)
Closed 3 years ago.
The user.uid is still coming (with the help of this uid != null, I am assuming the user is logged in).
I also tried addAuthStateListener(mAuthListener), but I am still getting UID of the previously deleted user.
Without using database track of banned or deleted user ids is it possible to remove that user instantly.
When a user signs in to Firebase, they get an access/ID token that is valid for an hour. This ID token cannot be revoked, as that would require Firebase to perform a quite expensive check on each call.
So when you delete the user's account from the console, they may retain access for up to an hour, at which point they will need to refresh their token, which will fail (since you deleted their account). So their access will automatically disappear within an hour.
A few points:
If you want to lock the user out of the application before their ID token expires, you'll want to keep an additional list of banned UIDs somewhere. For example, if you're using a Firebase database, you can keep a global list of bannedUIDs, and add the UID to that. Then in your server-side security rules, you can check if the UID who's trying to access the database isn't banned.
If you delete the user's account, they can just sign up again and create a new account. For this reason it is typically better to disable their account, which accomplishes the same (they won't be able to get a new ID token after their current one expires), but prevents them from signing up again with the same credentials.
Also see:
the video Five tips to secure your app
User keeps login even if I delete the account
Why firebase user still signed in after I deleted it from firebase dashboard
Does deleting account from Firebase automatically logs user out?
User authentication persisted after having cancelled the user from console.firebase.google.com
Firebase user deleted but still logged in on device
I'm thinking about using anonymous login in one of my apps as I don't really need to know anything about the user and using the account across devices is not required.
However, the user has to provide some information (once when first using the app) in order to use the app. This information is - obviously - linked to the user account. And of course the user should not have to enter this information more than once ever.
My question: What is the "lifetime" of the anonymous account? In which situation will there be a logout / creation of a new anonymous account?
E.g. after restarting the phone, will the user still be logged in with the same account as before the restart?
Thanks for your help!
PS: I only care about Android (and potentially also iOS) - but not web!
What is the "lifetime" of the anonymous account?
An anonymous user looses his account if the option to log-out is available or if the user uninstalls the app. So you can use Firebase anonymous aAuthentication to create and use only temporary anonymous accounts to authenticate with Firebase. As I said, anonymous authentication accounts do not persist across application uninstalls. When an application is uninstalled, everything that was saved locally will be deleted, including the anonymous auth token that identifies that account. Unfortunatelly, there is no way to reclaim that token for the user.
If you need more details for your users, you should encourage them to fully log in with a supported account provider (Google, Fabcebook, Twitter and so on) so that they can log in from all their devices without worry of losing their data.
In which situation will there be a logout / creation of a new anonymous account?
Only if you want that user to create another anonymous account.
after restarting the phone, will the user still be logged in with the same account as before the restart?
Definetely!