Geek Answers Handbook

Firebase State authentication state does not fire when a user is disconnected or deleted

Under the hood

I use Firebase Authentication in my Android app to register / use users using Google, Facebook and email / password. Almost everything is working fine so far, with the exception of one scenario.

Scenario

I need to disable or delete user accounts from the Firebase console to prevent users of my application.

In this case, when I disconnect or delete this particular user, the user must quickly exit the application from the application and will not be able to use it.

Error

I used AuthStateListener to listen for authentication status changes and automatically log out automatically as soon as their account is disconnected or deleted.

 FirebaseAuth.getInstance().addAuthStateListener(firebaseAuth -> { if (firebaseAuth.getCurrentUser() == null) { Intent intent = AuthFlowActivity.getCallingIntent(AuthFlowActivity.FORCE_LOGOUT); intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK | Intent.FLAG_ACTIVITY_CLEAR_TASK); startActivity(intent); activityExitAnimation(BaseAppActivity.this); } });

But I never saw AuthStateListener fire any events for these actions. Therefore, I cannot log out immediately, and the user can still continue to use the application.

I would appreciate it if anyone could help solve this problem.

+6
source share
1 answer

Disabling or deleting a user account does not change the state of the user. It also does not need to be authenticated. Within no more than an hour, Firebase Authentication will attempt to update the access token for the user. This update will fail, at which point the user will become unauthenticated and an auth state change event will occur.

If you want to immediately revoke user authorization, you will have to do this in another part of your application logic. A common way to do this is to have a blacklist in your application, for example. in Firebase Database :

 /bannedUsers uidOfBannedUser: true

Now, when you delete / deactivate a user account in the Autentication panel, you also add your uid to the list of denied users in the database.

Then the database can be protected from access from unauthorized users by adding an offer to the database security rules , for example

 { "rules": { "bannedUsers": { ".read": true, ".write": false // only admins can write these }, "messages": { ".read": "auth != null && !root.child('bannedUsers').child(auth.uid).exists()" } } }

If you use a different back-end, the implementation will be different. But a blacklist like this is a common approach to ban users. You will find that you may even have a little bit about their authentication, that you forbid them, and do not delete their credentials (which they can simply recreate).

+12
source

More articles:


All Articles