Skip to content Skip to sidebar Skip to footer

User Authentication Persisted After Having Cancelled The User From Console.firebase.google.com

If I delete a user directly from my Firebase Console, this user still have a valid data on my Android Device. Of course if I then access firebase resources (e.g. Realtime Database)

Solution 1:

If your user is logged in, in your applicaiotn and you are manually deleting it from the Firebase Console, the user will remain active, till the token will be refreshed. So for about at most an hour, the user will remain authenticated. So if you want to restrict the access of a user instantly, you need to sign him out.

But there is another workaround, in which you can create a new node in your Firebase database named usersToLogOut and add there all the user ids as keys and the boolean true as a value. The database should look like this:

Firebase-root
     |
     --- usersToLogOut
             |
             --- uid1: true
             |
             --- uid2: true

The next step, when you detele that account manually, you need to add the uid of the user under this node. You need to also to use, Firebase Security Rules, to revoke access for unauthorized users. The rules should look like this:

{
  "rules": {
    "usersToLogOut": {
      ".read": true,
      ".write": false
    },
    "posts": {
      ".read": "auth != null && !root.child('usersToLogOut').child(auth.uid).exists()"
    }
  }
}

Edit1:

According to your edit, you say: what I'm asking here is not how to secure my DB from him/her but I to check that It has been deleted but this the easier way way in which you can achieve this, by using the rules above. If you delete the user manually from the console this doesn't mean that you are deleteing everything with it, including database records. You need to do this your self. So the simplest way is to use rules.

Additionally, if you delete all user records, then you can add a listener and force him sign-out but this means that you need to search into you database for all records and remove them accordingly. The first solution is easier, because you only need to add a single record in your database and that's it!

Edit2:

When you are deleting a user manually this doesn't mean that the firebaseUser object will be null, so to check for nullity it does not make any sense because the user will still be authenticated till the next token refresh. So to solve this, you need to use Firebase rules to restrict the access.

So your code will always work. What I was trying to say is that between the time in which you delete the user manually from the console and the time in which you get refreshed token, it can be up to an hour in which the user will still have access to your app, even if he is deleted. To stop this, for that hour, you need to use the solution above.

Edit3 according to OP's comments:

Your code works well and will always work but the problem is, even if you delete the user from the console he will still have accees to the database till the next token refresh. And yes, the user will be able to access the database. That token will be valid for about an hour and if you do not want that, you can restrict using the security rules and in that hour the user not have access anymore.

With other words if you delete it also from client side and if it is not valid and if someone else has 'stolen' this token could use it to access the DB. Not the user who is using your app but someone that could have stolen that token.


Solution 2:

To check if the user has been deleted in the database, then try this:

FirebaseUser user=FirebaseAuth.getInstance().getCurrentUser();
String useruid=user.getUid();
DatabaseReference ref=FirebaseDatabase.getInstance().getReference().child("users").child(useruid);
ref.addValueEventListener(new ValueEventListener(){
 @Override
public void onDataChange(DataSnapshot dataSnapshot) {
  if(!dataSnapshot.exists()){
     //update UI
 }
}

  @Override
 public void onCancelled(FirebaseError firebaseError) {


   }
});

The above will check if the useruid is there or not, and since you are deleting also from the database, then it will not be found and then you can update the UI using setVisiblity() Assuming you have this in DB:

    users
      useruid
         username: userx
         email: userx@gmail.com
      useruid
         username: usery
         email:usery@gmail.com

Post a Comment for "User Authentication Persisted After Having Cancelled The User From Console.firebase.google.com"