How To Check Whether User is Disabled or Not in Firebase Auth

前端 未结 3 1497
北荒
北荒 2021-01-11 16:01

I have a Login System implemented using Firebase Auth, But Whenever I Disable any user he/she can still be logged.

But When he/she log out and login him/her by thems

3条回答
  •  别那么骄傲
    2021-01-11 16:15

    If you disable or delete a user account does not mean that it also fires an auth state change. Nor should it, because the user is still authenticated in application. You need to know that in at most an hour, Firebase Authentication will try to refresh the access token for that particular user that was disabled or deleted. But in this case that refresh will fail, at which point the user will become unauthenticated. This is the point in which the auth state change event will fire.

    If you want to revoke the user's authorization immediately, you'll have to do so in another part of your application logic. A common practice when it comes to Firebase is to create a new node in your database called blacklist that should look like this:

    Firebase-root
       |
       --- bannedUsers
              |
              uidOfBannedUser: true
    

    Now when you delete/disable a user's account in your Firebase console, you also need to add the corresponding uid to the list of banned users in the database.

    The database can then be secured against access from unauthorized users with the help of Firebase Database Security Rules. This can be done by adding a clause to your database security rules like this:

    {
      "rules": {
        "bannedUsers": {
          ".read": true,
          ".write": false // only admins can write these
        },
        "messages": {
          ".read": "auth != null && !root.child('bannedUsers').child(auth.uid).exists()"
        }
      }
    }
    

    If you use a different back-end, the implementation will be different. There can orher more examples but a blacklist like this is a common approach to ban users. You'll find that you may even care little enough about their authentication that you only ban them, instead of deleting their credentials, which they could simply recreate.

提交回复
热议问题