2

I am using Firebase Username/Password authentication in my Android app. But it seems to allow any number of devices to sign in using a single username/password. Is there a way to limit sign-in to a single device (or a limited small number of devices)?

What I am looking for is something like this. When a new device signs-in using an existing username/password: 

   a) validate the username and password

   b) sign-out all devices currently signed in with that username/password

   c) then sign-in the new device

I saw something about revoking Refresh tokens (https://firebase.google.com/docs/auth/admin/manage-sessions) - can this be used to achieve the above?

Alternately, is there a way to limit the number of simultaneous logins?

Right now I am NOT using any databases - would prefer a solution that does not require use of a database.

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
Venu G.
  • 427
  • 1
  • 5
  • 10

2 Answers2

1

I don't think is it possible without a database, because by default firebase doesn't provide any way to limit or get active sessions for a user. What you can do is, after logging in you can maintain the login history of the user for different devices and also logout by revoking refresh tokens for that devices. Revoke refresh token

Hope this helps!

Rishi Sharma
  • 106
  • 1
0

Revoke refresh token

FirebaseAuth.getInstance().revokeRefreshTokens(uid);

On revocation, the user is signed out and prompted to reauthenticate.

Bruno Galvão
  • 57
  • 1
  • 4
  • Have you done this? From the app (client) end? Doesn't it revoke the sign-in for the last sign-in as well? Also, this requires Firebase Admin SDK to be used on the app end? Bit of a security concern. – Venu G. Apr 10 '19 at 15:29