8

When a user is deleted via the Registered Users section of the Login & Auth firebase web interface, the onAuth method is not triggered and the user remains logged in and able to write to database. How can one ensure that the user's session is destroyed then the user is deleted?

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
user3391835
  • 305
  • 1
  • 3
  • 14
  • Possible duplicate of [Firebase authentication not revoked when user deleted?](http://stackoverflow.com/questions/19377172/firebase-authentication-not-revoked-when-user-deleted) – Frank van Puffelen Nov 18 '15 at 17:02

1 Answers1

13

Security rules.

When a user is deleted they are not immediately unauthenticated. However, you can write your security rules in a way that protects private data from users who no longer exist.

Take the following data for example.

{
  "privateData": "only authenticated and existing users can read me!,
    "users": {
      "user1": "Alice",
      "user2": "Bob"
    }
  }
}

In this situation we only want users in the /users list to have access to the /privateData location. A simple auth != null would work, until one of the users is removed. 

{
   "rules": {
     "privateData": {
        ".read": "auth != null && auth.uid == root.child('users').child(auth.uid).exists()",
        ".write": "auth != null && auth.uid == root.child('users').child(auth.uid).exists()"
     }
   }
}

The rules above not only check for an authenticated user, but they also check that the user exists in the /users location.

The token will expire and they will no longer be able to login. But with robust security rules you can guarantee they have no longer have access to any data.

David East
  • 31,526
  • 6
  • 67
  • 82
  • Thanks for the reply. Is there any way based on on this to detect that a user has tried to access some privateData when he is not authenticated and then log him out. Or can he as the user only log himself out of his active session before the token expires? – user3391835 Nov 18 '15 at 19:15
  • You could create a location in your Firebase that indicates which users are deleted. If you run a global value listener for this on the users app, you could then call ref.unauth() when the data appears in the listener. It's not elegant and usually not necessary when you have proper security rules. The token will expire and they will lose access. – David East Nov 19 '15 at 05:36
  • 4
    @DavidEast, you should remove the "auth.uid == ". The condition should be "auth != null && root.*blah*.exists()"... – jazzgil Mar 15 '17 at 07:23