Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to force logout firebase auth user from app remotely

I have a project which uses firebase auth with firebaseUI to authenticate users. I have enabled Google, Facebook and email providers. What I need is to remotely logout or disable some of the users.

I want the users to logout from the app on doing so. I tried disabling the user in the firebase console and also used the firebase admin SDK (https://firebase.google.com/docs/auth/admin/manage-sessions) to revoke the refresh tokens.

I waited for more than 2 days and still noticed that the user was logged in and could access the firestore data.

I have also gone through and tried Firebase still retrieving authData after deletion

Can anyone point to what I am doing wrong ?

like image 846
Ashwin Valento Avatar asked Oct 31 '18 16:10

Ashwin Valento


People also ask

Which method will you call to logout a user from Firebase?

If you'd like to sign the user out of their current authentication state, call the signOut method: import auth from '@react-native-firebase/auth'; auth() . signOut() .

How do I remove a user from Firebase authentication?

You can also delete users from the Authentication section of the Firebase console, on the Users page. Important: To delete a user, the user must have signed in recently. See Re-authenticate a user.

How long is a Firebase user logged in for?

Firebase Authentication sign-ins are permanent There is no specific time-out on the authentication of a user, so you should not ask them to re-authenticate based on the expired time.


Video Answer


3 Answers

You also cannot remotely force a user to be signed out. Any sign out will have to happen from the device that the user is signed in on.

There is no way to revoke an access token once that is minted. This means that even if you disable the user's account, they may continue to have access for up to an hour.

If that is too long, the trick (as also mentioned in my answer to the question you linked) is to maintain a list of blocked users in your database (or elsewhere) and then check against that in your security rules (or other authorization layer).

For example in the realtime database, you could create a list of blocked user's UIDs:

banned_uids: {
  "uid1": true
  "uid2": true
}

And then check against that in your security rules with:

".read": "auth.uid !== null && !root.child('banned_uids').child(auth.uid).exists()"
like image 169
Frank van Puffelen Avatar answered Oct 16 '22 15:10

Frank van Puffelen


You can send a message data with FCM to force to log out.

For example, if the users use android application.

  1. Save the FCM token in a collection in firebase Realtime.
  2. configure the Android client app, in the service. LINK You have to make when receive a message with especial string, force to log out.
  3. make the trigger you need in cloud functions, to send the data LINK when you need the user log out.

SUCCESS!

like image 25
Mike Brian Olivera Avatar answered Oct 16 '22 17:10

Mike Brian Olivera


As per your scenarios, i assume that you need to make user logout when user is disabled.

Use One global variable to store TokenNo (might be in shared preference or sqlite):

Add following code to your manifest:

<service android:name=".YourFirebaseMessagingService">
 <intent-filter>
     <action android:name="com.google.firebase.MESSAGING_EVENT" />
 </intent-filter>
</service>

Add following code in your

public class LogoutOntokenchange extends FirebaseMessagingService{
   @Override
   public void onNewToken (String token){
     if(TokenNo=>1){ //if tokenNo >=1 means he already logged in
       TokenNo=0;
       FirebaseAuth.getInstance().signOut(); //Then call signout method
     }
     else{
       TokenNo=1; //store token no in db
     }
   }
}

What Happens here:
When user logged in first time onNewToken is called then It goes into else then TokenNo is updated to 1 from 0.
When You disable any user then automatically token is refreshed.Then OnNewToken is called then TokenNo>=1 so user will be logged out.

NOTE: When user log in for first time i.e if TokenNo variable is not stored then store it as 0.

For reference: https://firebase.google.com/docs/reference/android/com/google/firebase/messaging/FirebaseMessagingService

like image 3
maneesh Avatar answered Oct 16 '22 16:10

maneesh