10

I am using Firebase authentication in my iOS app. Is there any way in Firebase when user login my app with Firebase then logout that user all other devices(sessions)? Can I do that with Firebase admin SDK?

Karen Hovhannisyan
  • 1,140
  • 2
  • 21
  • 31
  • You need to it yourself for the mobile application. Take one token in User node in Firebase database and regenerate it every time you logged in into application, Match this token with already logged in user's token on `appDidBecomeActive` and `appDidFinishLaunching` method if token are different logged out the user manually and take user to authenticate screen. – TheTiger Feb 15 '19 at 09:35
  • Just a thought here but is that going to be a good user experience? I use my iOS devices so I can seamlessly move from one device to the other - chatting on my iMac and grab my phone on the go to continue the conversation (Handoff). – Jay Feb 15 '19 at 18:54
  • @Jay I think logout user for all sessions is good for security improvements. – Karen Hovhannisyan Feb 16 '19 at 09:01
  • 1
    @Jay It depends on the app category. If this is something related to security like banking, wallets, or personal data app then this is good to keep single user login. – TheTiger Feb 16 '19 at 09:17
  • @TheTiger I totally agree, which is why I asked. How users are handled is directly related to the use case of the app. I think a bit more info in the question could lead to an answer but as it, it's a bit vague as to what 'logout' means. In other words, Firebase could have an observer on a node that notifies the app to log the user out of Firebase but does that also mean to log the user out of the App itself? Or should they still have access to the data they are examining at the time with no new data. – Jay Feb 16 '19 at 15:48

3 Answers3

12

When i had this issue i resolved it with cloud functions Please visit this link for more details https://firebase.google.com/docs/auth/admin/manage-sessions#revoke_refresh_tokens

Do the following;

  1. Set up web server with firebase cloud functions (if none exists)
  2. use the admin sdk(thats the only way this method would work) - [Visit this link] ( (https://firebase.google.com/docs/admin/setup#initialize_the_sdk).
  3. Create an api that receives the uid and revokes current sessions as specified in the first link above
  admin.auth().revokeRefreshTokens(uid)
    .then(() => {
      return admin.auth().getUser(uid);
    })
    .then((userRecord) => {
      return new Date(userRecord.tokensValidAfterTime).getTime() / 1000;
    })
    .then((timestamp) => {
      //return valid response to ios app to continue the user's login process
  });

Voila users logged out. I hope this gives insight into resolving the issue

Ziyad
  • 354
  • 4
  • 13
hazelcodes
  • 917
  • 8
  • 16
3

Firebase doesn't provide such feature. You need to manage it yourself.

Here is the Firebase Doc and they haven't mentioned anything related to single user sign in.

Here is what you can do for this-

Take one token in User node (Where you save user's other data) in Firebase database and regenerate it every time you logged in into application, Match this token with already logged in user's token (Which is saved locally) in appDidBecomeActive and appDidFinishLaunching or possibly each time you perform any operation with Firebase or may be in some fixed time interval. If tokens are different logged out the user manually and take user to authenticate screen.

TheTiger
  • 13,264
  • 3
  • 57
  • 82
1

What i have done is:

Created collection in firestore called "activeSessions".User email as an id for object and "activeID" field for holding most recent session id.

in sign in page code:

Generating id for a user session every time user is logging in. Add this id to localstorage(should be cleaned everytime before adding). Replace "activeID" by generated id in collection "activeSessions" with current user email.

function addToActiveSession() {
  var sesID = gen();

  var db = firebase.firestore();
  localStorage.setItem('userID', sesID);
  db.collection("activeSessions").doc(firebase.auth().currentUser.email).set({
    activeID: sesID
  }).catch(function (error) {
      console.error("Error writing document: ", error);
    });

}
function gen() {
  var buf = new Uint8Array(1);
  window.crypto.getRandomValues(buf);
  return buf[0];
}
function signin(){
 firebase.auth().signInWithEmailAndPassword(email, password).then(function (user) {
      
      localStorage.clear();
      addToActiveSession();
      }
    }), function (error) {
      // Handle Errors here.
      var errorCode = error.code;
      var errorMessage = error.message;
      if (errorCode === 'auth/wrong-password') {
        alert('wrong pass');
      } else {
        alert(errorMessage);
      }
      console.log(error);
    };
}

Then i am checking on each page if the id session in local storage is the same as "activeID" in firestore,if not then log out.

function checkSession(){
  
  var db = firebase.firestore();
  var docRef = db.collection("activeSessions").doc(firebase.auth().currentUser.email);
        docRef.get().then(function (doc) {
          alert(doc.data().activeID);
          alert(localStorage.getItem('userID'));
          if (doc.data().activeID != localStorage.getItem('userID')) {
            alert("bie bie");
            firebase.auth().signOut().then(() => {
        
              window.location.href = "signin.html";
         }).catch((error) => {
           // An error happened.
         });
            window.location.href = "accountone.html";
          } else{alert("vse ok");}
        }).catch(function (error) {
          console.log("Error getting document:", error);
        });
}

PS: window has to be refreshed to log inactive session out.

phoenixstudio
  • 1,776
  • 1
  • 14
  • 19
BeLInD
  • 21
  • 3