Menu
I've encountered a strange behavior of the Firebase simple login with email/password: If I login with an existing user account I'm able to write to a Firebase ref (i.e. $root/list/$item). If not, I have no write access as expected (Firebase rules seem to be OK), BUT if a client is logged in, and I meanwhile delete a user from Firebase Forge (Auth page), the connected client has still write access to the Firebase ref! Is it by design or is it a bug? Thanks.
here are the rules:
{
"rules": {
".read": true,
"list": {
"$item": {
".write": "auth != null && newData.child('author').val() == auth.id",
".validate": "newData.hasChildren(['author', 'content'])",
"author": {
".validate": "newData.val() == auth.id"
},
"content": {
".validate": "newData.isString()"
}
}
}
}
}
897
Note that Firebase Auth web sessions are single host origin and will be persisted for a single domain only. Indicates that the state will only persist in the current session or tab, and will be cleared when the tab or window in which the user authenticated is closed.
By default, a session ends (times out) after 30 minutes of user inactivity. There is no limit to how long a session can last.
Short answer: by design, or more accurately, not applicable in this case.
During auth, FirebaseSimpleLogin generates a token. Once the token is given to a client, it remains valid until it expires. Thus, when you delete the user account in simple login, this does not somehow go to the client's machine and remove the token. This is a pretty standard auth model, and the expiration length on the token (configurable in Forge) is the key constraint for security.
If you want to revoke logins immediately, then simple login is not the right tool for the job. You'll want to use custom login and generate your own tokens. There are some great discussions on revokable tokens, so I'll defer you to those, since that's outside the purview of your question.
125
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
