2

I have created an Appcelerator iPhone app based on Firebase authentication, which works very well. But now I come across some unexpected behaviour. My setup is as follows: on app start, the user must login or register. During registration, the account is created, and the corresponding account data (uid, name, email, date etc.) is also stored in a /users/uid data entry.

When I remove a user from Firebase through the Dashboard, by removing it from both /users/uid and the "Login & Auth" tab, it looks all clear. But when the user opens the app, he still remains logged in.

How can I enforce removing a user, where he is also logged out the next time he opens the app?

t vm
  • 41
  • 3

2 Answers2

6

According to the Firebase Google Group, this is a known bug with Firebase:

This is a known bug on our end. As you noted, after deleting a user, existing auth tokens are still valid and can be used to read and write to your Firebase database. Security Rules are still enforced on these tokens and that user will still only be able to access their own Firebase data (if your rules are set up as such). Those auth tokens will be valid until they expire. There is currently no workaround for this bug although we are going to be fixing this in a future release.

https://groups.google.com/d/msg/firebase-talk/Yr_wn02q0bk/eTM9hop3paoJ

The only thing I can think to do is check whether you can read to your users area, and if there's nothing there, force a log out.

Simon
  • 767
  • 3
  • 12
  • 22
  • I'm having a similar issue. Pretty frustrating that they don't have a workaround yet. I'd think it would be pretty simple to implement a check for if their token corresponds to an authenticated user or not. –  Aug 16 '16 at 20:50
  • Anyone know if this has been fixed? – MikeG Oct 19 '16 at 04:06
  • @Simon, I am trying to do as you suggested `check whether you can read to your users area, and if there's nothing there, force a log out`, but any completion handler from an observer is not executed, neither the `with`, nor the `withCancel`. My post https://stackoverflow.com/questions/45668411/observers-completion-handler-not-called-how-to-check-in-code – Laura Calinoiu Aug 14 '17 at 06:21
0

From your behavior it seems like there maybe a configuration issue or just a bug. Does the users information get removed from corresponding data-source (DB or in-memory store)? I would start there then move on to researching how the corresponding cookies/tokens work and contact their support.

Though perhaps you shouldn't out right delete the user, perhaps just disable the user therefore, accomplishing the same result? Maybe this behavior will work properly.

tmpg
  • 83
  • 6