I would like to know what the default authentication period for users to be logged into Firebase is. I have an Android app where users are logging in via email/password and I want to know how long FirebaseAuth.getInstance().getCurrentUser() will remain not null.
In the previous version of Firebase, the default length of time was 24 hours and could be modified via the firebase console. Is the default amount of time still 24 hours? Can this be modified via the console? (I cannot seem to find anything regarding this in the latest version of Firebase)
I realize this question is six years old at this point, but as mentioned in the comments, the user lifecycle states that the user token will expire and that in that event, the refresh token will be used to automatically reissue a set of new tokens for the user when using the SDKs. This allows the user to continue using the app without issue and does not force the user to re-authenticate into the app when their session token has expired.
Related
I did see the other questions about implementing trial apps (meaning apps that expire after being used for a certain time). They said the only real way to do it is to set up your own server and use some unique device ID to check if users have finished their trial. I don't know the first thing about setting up a server nor do I have the money for it.
I'm curious if it's possible to just use Firebase authentication but instead of users manually logging in they get automatically logged in using their unique device ID, and then their install date is checked using Firebase? Is that possible?
This question already has an answer here:
Firebase deleted user is able to change data. How can I fix this without modifying application code?
(1 answer)
Closed 3 years ago.
The user.uid is still coming (with the help of this uid != null, I am assuming the user is logged in).
I also tried addAuthStateListener(mAuthListener), but I am still getting UID of the previously deleted user.
Without using database track of banned or deleted user ids is it possible to remove that user instantly.
When a user signs in to Firebase, they get an access/ID token that is valid for an hour. This ID token cannot be revoked, as that would require Firebase to perform a quite expensive check on each call.
So when you delete the user's account from the console, they may retain access for up to an hour, at which point they will need to refresh their token, which will fail (since you deleted their account). So their access will automatically disappear within an hour.
A few points:
If you want to lock the user out of the application before their ID token expires, you'll want to keep an additional list of banned UIDs somewhere. For example, if you're using a Firebase database, you can keep a global list of bannedUIDs, and add the UID to that. Then in your server-side security rules, you can check if the UID who's trying to access the database isn't banned.
If you delete the user's account, they can just sign up again and create a new account. For this reason it is typically better to disable their account, which accomplishes the same (they won't be able to get a new ID token after their current one expires), but prevents them from signing up again with the same credentials.
Also see:
the video Five tips to secure your app
User keeps login even if I delete the account
Why firebase user still signed in after I deleted it from firebase dashboard
Does deleting account from Firebase automatically logs user out?
User authentication persisted after having cancelled the user from console.firebase.google.com
Firebase user deleted but still logged in on device
I am using Firebase Unity. I found that in a separate run of the app if you initialize FirebaseApp with the same string name, you can get the previous run's FirebaseAuth's CurrentUser and I can see the UID. I can even preserve 2 CurrentUser by multiple FirebaseApp instance (seems to be linked by string name)
This way I can use SignInAnonymously in an intended way, to onboard the player and let him play as many days or as many app run as he wants until he want to commit to the game by providing e-mail and password for LinkWithCredentialAsync.
I also found that if you uninstall the app or clear app data in the Settings of Android, the auth is gone. But app updates preserve the auth. Understandable.
But what I worried is that can the preserved auth expires on its own? For example the player played the game last year with anonymous ID without committing to linking to e-mail credential. If he come back a year later can he still access the same account? (The app is not reinstalled, just upgraded.) I don't see any info in the docs about this.
I also found that if you uninstall the app or clear app data in the Settings of Android, the auth is gone.
That's correct. Firebase Anonymous Authentication accounts does not persist across application uninstalls. If you uninstall the application, everything that was saved locally will be deleted, including the anonymous auth token that identifies that account.
But what I worried is that can the preserved auth expires on its own?
Anonymous auth token that identifies a user account don't expire. Firebase doesn't remove the token automatically or in any other way because it doesn't really know if a user is still storing data linked to that anonymous account.
For example the player played the game last year with anonymous ID without committing to linking to e-mail credential. If he come back a year later can he still access the same account? (The app is not reinstalled, just upgraded.)
If the player did not uninstall the app and he also did not clear the cache then he will definetely be able to play again with the same account.
This question already has an answer here:
Firebase deleted user is able to change data. How can I fix this without modifying application code?
(1 answer)
Closed 3 years ago.
The user.uid is still coming (with the help of this uid != null, I am assuming the user is logged in).
I also tried addAuthStateListener(mAuthListener), but I am still getting UID of the previously deleted user.
Without using database track of banned or deleted user ids is it possible to remove that user instantly.
When a user signs in to Firebase, they get an access/ID token that is valid for an hour. This ID token cannot be revoked, as that would require Firebase to perform a quite expensive check on each call.
So when you delete the user's account from the console, they may retain access for up to an hour, at which point they will need to refresh their token, which will fail (since you deleted their account). So their access will automatically disappear within an hour.
A few points:
If you want to lock the user out of the application before their ID token expires, you'll want to keep an additional list of banned UIDs somewhere. For example, if you're using a Firebase database, you can keep a global list of bannedUIDs, and add the UID to that. Then in your server-side security rules, you can check if the UID who's trying to access the database isn't banned.
If you delete the user's account, they can just sign up again and create a new account. For this reason it is typically better to disable their account, which accomplishes the same (they won't be able to get a new ID token after their current one expires), but prevents them from signing up again with the same credentials.
Also see:
the video Five tips to secure your app
User keeps login even if I delete the account
Why firebase user still signed in after I deleted it from firebase dashboard
Does deleting account from Firebase automatically logs user out?
User authentication persisted after having cancelled the user from console.firebase.google.com
Firebase user deleted but still logged in on device
I am getting an error when I try to send messages via the Firebase Notification screen in the console. It says I have an invalid token format, but I have used previously used tokens collected with the same method successfully.
I was not getting this error a few days ago, and notifications were working properly. I just pushed an update to the Google Play Store recently, but this update did not touch any code relating to the notifications.
status.firebase.google.com says that notifications are currently up. All other Firebase usages in my app (database, storage, auth) are working properly.
When I updated my app, I did not change my google-services.json file at all. Do I need to do some sort of update to this file, or some sort of version change on the Firebase Console to keep the versions consistent between the APK and the console?
As mentioned by #Arthur Thomson (in the comments), your registration token may change as a result of an update in the application. It does matter that you did not change the google-services.json if the user reinstalled or updated the application the token maybe changed.
According to the docummentation about the device registration token, the registration toke may change when:
The app deletes Instance ID
The app is restored on a new device
The user uninstalls/reinstall the app
The user clears app data.
So you would need to retrieve the new registration token using the onTokenRefresh() method in your Android client application. I mean, you just need to implement a code to retrieve the new token if it changes.
Hope this helps