How to set Firebase Database rules? How to prevent .write from deleted user

Question

Introduction

I am building a firebase web client app. I would like set Firebase Database rules.

1. New user registered to a firebase app. Firebase gave him a user.UID.
2. Then, admin delete OR disabled the user from firebase admin console.
3. User refresh client app.
4. (I find out that) user can still write to firebase database even though his account has been deleted/disabled.

.

Goal / Intention

I would like to set a rule that prevent access (.read OR .write) to firebase database when user does not exist OR disabled in admin console/(auth/users).

Some thing like this:

"rules":{
  "$uid":{
    ".write":"auth.isUserActive(auth.uid) == true"
  }
}

.

FIREBASE REFERENCE DOC: https://firebase.google.com/docs/reference/security/database/#auth

Question

How can I achieve the above intention? What are the rules should I set to firebase DB?

Answer 1

Deleting a user doesn't revoke existing tokens for that user. See Firebase authentication not revoked when user deleted?. If you're using one of the standard identity providers, this means that the users may still be able to access the data for an hour after you delete the account.

There is no API for you code to check whether a given uid still exists. And even if such an API existed, it wouldn't help in this case, since a malicious user could just bypass that check and call the API directly.

A simple way to deal with this scenario is to keep a whitelist of allowed or blacklist of disallowed users in your database. For a blacklist, you'd keep a top-level (world readable, admin only writeable) list of banned/deleted users:

banned
  uid12345: true

When your admins delete a user, they also add them to this list.

And then in your security rules, you check and disallow access for banned users. E.g.:

"posts": {
  ".read": "auth != null && !root.child('banned').child(auth.uid).exists()"
}