I am using Firebase Unity. I found that in a separate run of the app if you initialize FirebaseApp with the same string name, you can get the previous run's FirebaseAuth's CurrentUser and I can see the UID. I can even preserve 2 CurrentUser by multiple FirebaseApp instance (seems to be linked by string name)
This way I can use SignInAnonymously in an intended way, to onboard the player and let him play as many days or as many app run as he wants until he want to commit to the game by providing e-mail and password for LinkWithCredentialAsync.
I also found that if you uninstall the app or clear app data in the Settings of Android, the auth is gone. But app updates preserve the auth. Understandable.
But what I worried is that can the preserved auth expires on its own? For example the player played the game last year with anonymous ID without committing to linking to e-mail credential. If he come back a year later can he still access the same account? (The app is not reinstalled, just upgraded.) I don't see any info in the docs about this.
I also found that if you uninstall the app or clear app data in the Settings of Android, the auth is gone.
That's correct. Firebase Anonymous Authentication accounts does not persist across application uninstalls. If you uninstall the application, everything that was saved locally will be deleted, including the anonymous auth token that identifies that account.
But what I worried is that can the preserved auth expires on its own?
Anonymous auth token that identifies a user account don't expire. Firebase doesn't remove the token automatically or in any other way because it doesn't really know if a user is still storing data linked to that anonymous account.
For example the player played the game last year with anonymous ID without committing to linking to e-mail credential. If he come back a year later can he still access the same account? (The app is not reinstalled, just upgraded.)
If the player did not uninstall the app and he also did not clear the cache then he will definetely be able to play again with the same account.
Related
Im working on a project where a user isn´t forced to sign up a account.
My plan is that a user could do anything like a user that is registered except for a few exceptions.
I implement a like function which saves the users behaviour on a webserver and later when the data is fetched again it recognized if the user liked something or not. My problem is that I have to save this informations also if the user isn´t registered to my application. A User should be free to decide wheter the user likes to sign up or not and isn´t forced to be a registered user.
I found three different way that could work!
1. Option
First option would be the accountmanager but I don´t like this option at all cause I have to ask for the contact permission and also ask which account a user want to use.
2. Option
A other option would be if a user starts the app for the very first time the app would call a server which creates a random unique code and send that code to my application to save it as key for the users actions which is saved on a server. But that also doesn´t seems to be a good solution for my problem.
3. Option
The last option would be oauth but for now I don´t know if and how it would be the solution to my problem!
I would be thankful for every answer!
I have worked on a comic app that requires saving the user subscribed channels, genre or comics and save the likes/dislikes for the same. User can be subscribed to push notification too.
For this, we used Firebase Authentication (anonymous signup). And to save the user subscription information, we used Firebase Firestore.
And followed the below approach.
As soon as the app opens, check if the user has already anonymous SignIn. If it hasn't, signUp silently.
Add a listener for user push notification token change. And update it to Firestore by anonymous user-id as key (We did same for storing other information too).
I think this approach would help to solve this problem.
You could use firebase auth for that!
Usually, you would use it with email & password or google login but it also has an anonymous login feature that should save the user's phone.
There are few techniques. It depends on whether you want to recognise a user between installations of app. If you are OK to lose a user on reinstallation you can use Firebase installation ID and link users behaviour with this id. If you want to remember users even between installations you can use unique to each combination of app-signing key, user, and device Secure.ANDROID_ID(more info about ids). But still the best way is implementing your own signing in or using of AccountManager.
This question already has an answer here:
Firebase deleted user is able to change data. How can I fix this without modifying application code?
(1 answer)
Closed 3 years ago.
The user.uid is still coming (with the help of this uid != null, I am assuming the user is logged in).
I also tried addAuthStateListener(mAuthListener), but I am still getting UID of the previously deleted user.
Without using database track of banned or deleted user ids is it possible to remove that user instantly.
When a user signs in to Firebase, they get an access/ID token that is valid for an hour. This ID token cannot be revoked, as that would require Firebase to perform a quite expensive check on each call.
So when you delete the user's account from the console, they may retain access for up to an hour, at which point they will need to refresh their token, which will fail (since you deleted their account). So their access will automatically disappear within an hour.
A few points:
If you want to lock the user out of the application before their ID token expires, you'll want to keep an additional list of banned UIDs somewhere. For example, if you're using a Firebase database, you can keep a global list of bannedUIDs, and add the UID to that. Then in your server-side security rules, you can check if the UID who's trying to access the database isn't banned.
If you delete the user's account, they can just sign up again and create a new account. For this reason it is typically better to disable their account, which accomplishes the same (they won't be able to get a new ID token after their current one expires), but prevents them from signing up again with the same credentials.
Also see:
the video Five tips to secure your app
User keeps login even if I delete the account
Why firebase user still signed in after I deleted it from firebase dashboard
Does deleting account from Firebase automatically logs user out?
User authentication persisted after having cancelled the user from console.firebase.google.com
Firebase user deleted but still logged in on device
I am working with Cloud Firestore and I came to the question on the top. I will set you an example
The user installs the app and log's in with Google. I save the log-in information in the device storage so the user does not have to log in every time. It is also stored in Firestore with a generated ID.
The user plays with the app and one day uninstalls it. This erases the log-in information in the async storage, losing the generated ID that granted him access to the app.
One day he decides to install it again, let's say in another device to make it harder. He had various information in his profile or maybe an active payment plan he forgot to delete and he wants to do it now. He clicks on google log in since it was how he did it, but now the profile information is gone because another account was created with another generated ID.
How to avoid this? I want the app to remember the user account in some way. The user account would be stored in my Firestore.
According to the docs:
For Android and iOS, offline persistence is enabled by default.
Meaning that by default, Firestore creates a locate copy of the database on the client's device.
User installs app and log's in with Google.
So I assume you have already implemented Firebase authentication with Google.
It is also stored in Firestore with a generated ID.
Without seeing that "generated ID", it's hard to say if it's the correct ID or not. The idea behind this authentication is to sign-in your users with Firebase, no matter what the provider is. Furthermore, if you want to save user data in Firestore, store it into a document whose id is the user ID that comes from the authentication process. In this way, doesn't matter what the provider is, you'll always store the data under a document whose key will never change.
User plays with the app and one day uninstalls it. This erases the log-in information in the async storage, losing the generated ID that granted him access to the app.
It's true that if the user uninstalls the app, all the cache is wiped out from the storage, including the log-in information. That being said, bear in mind that you should never store such information on the disk. When using Firebase authentication, there is no log-in information that needs to be stored. If you didn't still implement it, I recommend you start with the docs.
One day he decides to install it again, let's say in another device to make it harder. He had various information in his profile or maybe an active payment plan he forgot to delete and he wants to do it now. He clicks on google log in since it was how he did it, but now the profile information is gone because another account was created with another generated ID.
This is only happening if you are using a type of ID other than the one explained above. If you had used the ID that comes from the authentication process, the second time the user tries to sing-in, even if using a different device, he'll be recognized as the same user with the same data. In this way, the user will be able to access the same document with the same data and recreate the local cache.
Im not sure in which framework you are working in to create the app, but firebase sdk has sign in along with create user with email & password. Needed data could be saved to user's document on Firestore.
This question already has an answer here:
Firebase deleted user is able to change data. How can I fix this without modifying application code?
(1 answer)
Closed 3 years ago.
The user.uid is still coming (with the help of this uid != null, I am assuming the user is logged in).
I also tried addAuthStateListener(mAuthListener), but I am still getting UID of the previously deleted user.
Without using database track of banned or deleted user ids is it possible to remove that user instantly.
When a user signs in to Firebase, they get an access/ID token that is valid for an hour. This ID token cannot be revoked, as that would require Firebase to perform a quite expensive check on each call.
So when you delete the user's account from the console, they may retain access for up to an hour, at which point they will need to refresh their token, which will fail (since you deleted their account). So their access will automatically disappear within an hour.
A few points:
If you want to lock the user out of the application before their ID token expires, you'll want to keep an additional list of banned UIDs somewhere. For example, if you're using a Firebase database, you can keep a global list of bannedUIDs, and add the UID to that. Then in your server-side security rules, you can check if the UID who's trying to access the database isn't banned.
If you delete the user's account, they can just sign up again and create a new account. For this reason it is typically better to disable their account, which accomplishes the same (they won't be able to get a new ID token after their current one expires), but prevents them from signing up again with the same credentials.
Also see:
the video Five tips to secure your app
User keeps login even if I delete the account
Why firebase user still signed in after I deleted it from firebase dashboard
Does deleting account from Firebase automatically logs user out?
User authentication persisted after having cancelled the user from console.firebase.google.com
Firebase user deleted but still logged in on device
I'm thinking about using anonymous login in one of my apps as I don't really need to know anything about the user and using the account across devices is not required.
However, the user has to provide some information (once when first using the app) in order to use the app. This information is - obviously - linked to the user account. And of course the user should not have to enter this information more than once ever.
My question: What is the "lifetime" of the anonymous account? In which situation will there be a logout / creation of a new anonymous account?
E.g. after restarting the phone, will the user still be logged in with the same account as before the restart?
Thanks for your help!
PS: I only care about Android (and potentially also iOS) - but not web!
What is the "lifetime" of the anonymous account?
An anonymous user looses his account if the option to log-out is available or if the user uninstalls the app. So you can use Firebase anonymous aAuthentication to create and use only temporary anonymous accounts to authenticate with Firebase. As I said, anonymous authentication accounts do not persist across application uninstalls. When an application is uninstalled, everything that was saved locally will be deleted, including the anonymous auth token that identifies that account. Unfortunatelly, there is no way to reclaim that token for the user.
If you need more details for your users, you should encourage them to fully log in with a supported account provider (Google, Fabcebook, Twitter and so on) so that they can log in from all their devices without worry of losing their data.
In which situation will there be a logout / creation of a new anonymous account?
Only if you want that user to create another anonymous account.
after restarting the phone, will the user still be logged in with the same account as before the restart?
Definetely!