Firebase Authentication State Change does not fire when user is disabled or deleted

Question

Under The Hood

I am using Firebase Authentication in my Android app to sign up/in users using Google, Facebook and Email/Password. So far, almost everything works fine except for a single scenario.

The Scenario

I need to disable or delete user accounts from the Firebase console sometimes to ban some users of my app.

In that case, when I disable or delete that particular user, the user must get logged out from the app instantly and should not be able to use it any further.

The Bug

I have used the AuthStateListener to listen for authentication state changes and log out the user automatically as soon as their account is disabled or deleted.

FirebaseAuth.getInstance().addAuthStateListener(firebaseAuth -> {
            if (firebaseAuth.getCurrentUser() == null) {
                Intent intent = AuthFlowActivity.getCallingIntent(AuthFlowActivity.FORCE_LOGOUT);
                intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK | Intent.FLAG_ACTIVITY_CLEAR_TASK);
                startActivity(intent);
                activityExitAnimation(BaseAppActivity.this);
            }
        });

But I have never seen the AuthStateListener fire any events for these actions. So I am unable to log out the user instantly and the user can still keep on using the app.

I would appreciate if anyone can help in resolving this issue.

Answer 1

Disabling or deleting a user account does not fire an auth state change. Nor should it, the user is still authenticated. In at most an hour, Firebase Authentication will try to refresh the access token for the user. That refresh will fail, at which point the user will become unauthenticated and the auth state change event will fire.

If you're looking to revoke the user's authorization immediately, you will have to do so in another part of your application logic. A common way to do this is by having a blacklist in your application, e.g. in the Firebase Database:

/bannedUsers
    uidOfBannedUser: true

Now when you delete/disable a user's account in the Autentication panel, you also add their uid to the list of banned users in the database.

The database can then be secured against access from unauthorized users by adding a clause to your database security rules, e.g.

{
  "rules": {
    "bannedUsers": {
      ".read": true,
      ".write": false // only admins can write these
    },
    "messages": {
      ".read": "auth != null && !root.child('bannedUsers').child(auth.uid).exists()"
    }
  }
}

If you use a different back-end, the implementation will be different. But a blacklist like this is a common approach to ban users. You'll find that you may even care little enough about their authentication that you only ban them, instead of deleting their credentials (which they could simply recreate).