How to prevent same user logging in from different devices ? My app is paid , so I dont want credentials to be shared

Question

I am new to firebase , but I managed to develop an app using firebase -email&password authentication This app is for an organization\'s members so there is no sign up on th

Answer 1

You can employ a session manager, which just keeps track of the last session and terminates all other sessions for that user. A simple way to accomplish this is to generate a UUID (random 128-bit value) on the client every time your app launches and call it sessionId. If the user is logged in, or when the user logs in, write that sessionId to the database under the current user's userId in a field called lastSessionId. Then just listen for changes to lastSessionId (on the client) for the current userId.

When another client launches your app using the same userId, that client is also given a random sessionId and that sessionId is also written to the database under that userId (overriding the last client's write). All of the clients logged into that userId are then notified of the change to lastSessionId (through the document listener) and for every client where the local sessionId does not match the remote lastSessionId, their UX is handled accordingly. You can gracefully sign those clients out or more brutally terminate their app with some sort of fatal error.

Answer 2

I understand I should be using an auth token

That won't work. Whenever a user signs in on a device, they get a new auth token. So the same user being signed in on two devices, will have to different auth tokens.

But they will have the same UID. So I'd actually store the uid and something that identifies the active device in the database.

activeDeviceByUser
  <uid>: <device ID>

Then remove that when the user signs out or disconnects.