Menu
When a user is deleted via the Registered Users section of the Login & Auth firebase web interface, the onAuth method is not triggered and the user remains logged in and able to write to database. How can one ensure that the user's session is destroyed then the user is deleted?
204
Deleting an account does not automatically expire the current session(s) for that account. Their current sessions will remain valid until they expire. You can set the session expiration interval in your Firebase Dashboard. If you want to force the user to be logged out, call ref.
If you'd like to sign the user out of their current authentication state, call the signOut method: import auth from '@react-native-firebase/auth'; auth() . signOut() .
Security rules.
When a user is deleted they are not immediately unauthenticated. However, you can write your security rules in a way that protects private data from users who no longer exist.
Take the following data for example.
{
"privateData": "only authenticated and existing users can read me!,
"users": {
"user1": "Alice",
"user2": "Bob"
}
}
}
In this situation we only want users in the /users list to have access to the /privateData location. A simple auth != null would work, until one of the users is removed.
{
"rules": {
"privateData": {
".read": "auth != null && auth.uid == root.child('users').child(auth.uid).exists()",
".write": "auth != null && auth.uid == root.child('users').child(auth.uid).exists()"
}
}
}
The rules above not only check for an authenticated user, but they also check that the user exists in the /users location.
The token will expire and they will no longer be able to login. But with robust security rules you can guarantee they have no longer have access to any data.
80
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
