1

I've been looking around the web and trying to find out how to handle the user state of a logged in Firebase user where the following occurs:

  1. User is already logged into the app.
  2. Admin disable/delete the user from the Firebase Console.
  3. User is still inside the app (although the account has been disabled/deleted on the Firebase Console).
  4. After more than an hour, user is still inside the app. (Firebase ID token should have expired and addStateDidChangeListener() should've been called).

Currently, unless i call getIDTokenForcingRefresh() and signout() the user if the return error is due to disable/delete user. The user will still be logged in.

In summary, I've the following questions:

  • If a user is logged into the app, the user will remain logged in unless a signout() is called. It doesn't matter if the user account is disabled or deleted?
  • The Firebase ID token 1hour expiry only triggers the addStateDidChangeListener() but I'll have to handle what to do inside the handler?
  • What is the difference if I use reauthenticateWithCredential() to check for update state of the user?

Thanks for any clarification and help in advance! =)

Shen
  • 25
  • 4
  • Possible duplicate of [Firebase still retrieving authData after deletion](https://stackoverflow.com/questions/35960546/firebase-still-retrieving-authdata-after-deletion) – kuzyn Nov 20 '18 at 17:51

1 Answers1

0

I don't know if I will answer all of you questions but I can give you some info from my experience with Firebase.

As far as I know, if user gets deleted or disabled he will still be logged in app until token expires. Anytime you will try to manipulate with some data in Firebase (read, write, whatever) after the user has been disabled / deleted you will get an error in the result block. That is when you should check what kind of error it is and perform some actions. In this case, if error matched deleted / disabled user you should log him out and take to login screen. Here is a list of all errors.

reauthenticateWithCredential() is a way to do that but you will get the same error when reading other data from Firebase. So if a user is disabled, calling reauthenticateWithCredential() will return an error with code FIRAuthErrorCodeUserDisabled. That is how you detect that user was disabled.

ZassX
  • 1,369
  • 2
  • 14
  • 35
  • I did some further testing, disabled user are still able to write to the database successfully during the 1 hour before the token expire. Even when getIDTokenForcingRefresh() returns that the user account has been disabled. After 1 hour that the user has been disabled, I can't write to the database. However there isn't any status return even when I call ref.setValue() with Completion block. reauthenticateWithCredential() is a way, but the user experience isn't as good because it requires user to input their credentials again. – Shen Jul 26 '17 at 11:45
  • @Shen Good you dropped back with info, thanks! Well I guess the alternative is to hold some information about user status in database and handle that manually. Eg. each user has a property `enabled: true/false` and you can use that data to determine if user is enabled or not. – ZassX Jul 26 '17 at 13:26
  • @ #firebase you need to get this fixed!? WTF man this is a major security flaw!? – Famic Tech Dec 24 '17 at 05:07