2

So I built a simple app using Firebase Authentication (with just email and password) and it was working great, but in order to TestFlight my sign up/login page I needed to delete the accounts of everyone who had signed up with the app previously, only to find that deleting the users on the console doesn't actually deauth them in the app. I would imagine there would be a way to check a user's authentication status in the Firebase console (if they exist or not at least) but I can't find that functionality to save my life. Any help is welcome and appreciated!

  • 3
    When a user signs in with Firebase Authentication two tokens are minted. One token identifies the user and never expires. The other is used to actually access the system. The latter token expires after an hour and needs to be refreshed (and is auto-refreshed by the SDK) hourly, which will fail if you've deleted or disabled the account. – Frank van Puffelen Aug 17 '16 at 01:40
  • @FrankvanPuffelen that is good info, thank you. The issue I'm having is that the user info is still stored on the device as a `currentUser` `FIRUser` object. That was why I tagged iOS and Android in this because I don't think web would have this issue but it applies to firebase for mobile devices (what I'm having the issue on). –  Aug 17 '16 at 02:15

3 Answers3

4

The code below works great on android to confirm if the Firebase Auth user still exists (has not been deleted or disabled) and has valid credentials.

Deleting the Auth user from the firebase console does not revoke auth tokens on devices the user is currently logged in as the token is cached locally. Using reload() forces a check with the firebase auth server.

mFirebaseUser.reload().addOnCompleteListener(new OnCompleteListener<Void>() {
                @Override
                public void onComplete(@NonNull Task<Void> task) {
                    if(task.isSuccessful()){
                        //User still exists and credentials are valid

                    }else {
                        //User has been disabled, deleted or login credentials are no longer valid, 
                        //so send them to Login screen
                    }
                }
            });
Yogesh Buradkar
  • 78
  • 1
  • 5
3

I ran into this same issue and found a workaround that I've been using ever since. Instead, I just query my database in /users (a category I created for users) and check if my current ID exists. If it does not, I know the account has been deleted. This means you need to create an entry with your userID in /users on sign up and delete this entry when you delete the account. To see if currently authenticated user is deleted then, do something like this:

NSString *currentID=[[FIRAuth auth].currentUser uid];
[[[[[FIRDatabase database]reference]child:@"users"]child:currentID]observeSingleEventOfType:FIRDataEventTypeValue withBlock:^(FIRDataSnapshot * _Nonnull snapshot) {
    if (snapshot!=[NSNull Null]) {
        //User still exists
    } else {
        //Account no longer exists (deleted)
    }
}];
Ian Richard
  • 525
  • 4
  • 9
  • 2
    Good one. This sort of whitelist is indeed a common way to ensure that you can immediately lock out a user. Given OPs remark about prepping for test flight, I felt letting the access token expire might be a reasonable alternative here. – Frank van Puffelen Aug 17 '16 at 02:01
  • 1
    Yes, letting it expire would work great for the situation that OP is describing. Also, implementing something like the above will be another measure to make sure the account isn't deleted. – Ian Richard Aug 17 '16 at 02:17
  • This is not a bad idea for sure but seems a bit tedious. Hopefully they come out with a simpler solution soon. So if a new user is created will it overwrite the FIRUser stored in the app? –  Aug 17 '16 at 02:19
  • Yes, registering a new user would overwrite the current auth token. – Ian Richard Aug 17 '16 at 04:01
  • There is a workaround for not letting the newly registered user take over the currently signed in user. http://stackoverflow.com/questions/37517208/firebase-kicks-out-current-user – gegobyte Aug 17 '16 at 06:49
  • @IanRichard That's solid. I think I'm close but not quite getting the behavior I'm looking for. Would you mind taking a look? It would be on github.com/niclaughter/One-More-Pun. –  Aug 17 '16 at 19:47
  • Which file in the github project did you add this functionality to? And what behavior are you getting? – Ian Richard Aug 17 '16 at 19:50
2

I spent all day since posting this trying to do the whitelist solution and couldn't get it to work. However, a friend of mine sent me a solution similar to this and it works like a charm.

func checkUserAgainstDatabase(completion: (success: Bool, error: NSError?) -> Void) {
    guard let currentUser = FIRAuth.auth()?.currentUser else { return }
    currentUser.getTokenForcingRefresh(true) { (idToken, error) in
        if let error = error {
            completion(success: false, error: error)
            print(error.localizedDescription)
        } else {
            completion(success: true, error: nil)
        }
    }
}