Properly log out a user from android app

Question

I'm developing a small android app, and basically so far it just has login and logout functionality. I'm using Firebase to store user data and also for authentication.

So I have login working and it authenticates users as it should and I have logging out working in the sense that it unauthenticates users. But is there anything I have to do from within the app to kill the session?

if (id == R.id.action_log_out) {
    ref.unauth(); //End user session
    startActivity(new Intent(MainActivity.this, LoginActivity.class)); //Go back to home page
    finish();
}        

Will this work as I think it should? Obviously if someone logs out they shouldn't be able to hit th back button and magically go back to the last page without re-logging in.

Answer 1

From Firebase docs

https://firebase.google.com/docs/auth/android/custom-auth

call this FirebaseAuth.getInstance().signOut();

Answer 2

When Firebase authenticates the user (or you authenticate the user with Firebase), it stores the token for that user in local storage on your device. This happens when you call one of the authWith... methods (of course only if it successfully authenticates the user).

Calling ref.unauth(); immediately deletes that token from local storage.

A properly implemented flow would not automatically re-authenticate them when the user presses the back button, but that depends on the flow you implement (which is missing from your question and would likely be too much code anyway).

Answer 3

I see 2 options for the issue we have with the back-Button after Logout:

In your LoginActivity, wich should be you launcher activity, Override onBackPressed Method and leave it empty:

    @Override
public void onBackPressed() {
// empty so nothing happens
}

Or/and you can add the LoginActivityIntent in your LogoutActivty if user == null. This way, whenever a not authenticated user lands on the activity, it will redirect to the LoginActivity instantly, although this looks kinda weird.

        mAuth = FirebaseAuth.getInstance();
    mAuthListener = new FirebaseAuth.AuthStateListener() {
        @Override
        public void onAuthStateChanged(@NonNull FirebaseAuth firebaseAuth) {
            FirebaseUser user = firebaseAuth.getCurrentUser();
            if (user != null) {
                // User is signed in
                Log.d(TAG, "onAuthStateChanged:signed_in:" + user.getUid());
            } else {
                // User is signed out
                Log.d(TAG,"onAuthStateChanged:signed_out");
                startActivity(new Intent(LogoutActivity.this, LoginActivity.class));
            }
            // ...
        }
    };

First Option is easier, but I guess if you apply both your on the save side ^^ Im coding for 2 weeks now so correct me if im wrong.

Answer 4

You can replace finish() with finishAffinity();