If I open a website with firebase installed and i execute this firebase.auth().currentUser.delete() in browser console after a user has logged in, the current user will be deleted. How can i prevent a user from calling the delete function. is there a way to disable this?
Asked
Active
Viewed 1,111 times
2 Answers
3
There is no way to prevent a user from deleting their Firebase Authentication account. But whether you expose such functionality in your app is of course up to you.
It sounds a bit like an XY problem. What app-level problem are you trying to accomplish by disabling users from deleting their Firebase Authentication account?
Community
- 1
- 1
Frank van Puffelen
- 565,676
- 79
- 828
- 807
-
Hi Frank, thanks for the answer. The issue is that if I have a website that uses Firebase Authentication as my solution. A "smart" user can open any of my webpages in developer mode and issue a delete command for their account. If a user does this it means I lose his auth account and this can cause a lot of problem with getting the account in sync again (especially if this is a paying user). I do not understand why this "delete" is up to the user and does not need "admin" rights. – Danny Ogen Sep 11 '16 at 15:04
-
Frank, just to make to it clear. i will not expose this delete functionality to my users but i feel "exposed" that a "clever" developer can cause issues when deleting an account using a simple console command. – Danny Ogen Sep 11 '16 at 15:29
-
**A user can only delete their own account**. If a user intentionally goes into the console to delete their account, the problems that causes are their own doing. – Frank van Puffelen Sep 11 '16 at 15:40
-
@FrankvanPuffelen I am trying to do something similar because I am trying to integrate 2FA (TOTP) into my app. I couldn't find a way to integrate properly so it works by checking the 2FA code once the user is logged in and using a "message bus" system on the realtime DB for accessing the users data once the user has confirmed their code. Now the issue is, if the "attacker" is smart enough, he could just delete the user after logging in. – Jul 06 '17 at 18:37
-
5@FrankvanPuffelen If the user can delete your account you will have a serious problem to track the users history. You have a more serious problem if a fraudulent user delete the account and then registers again (same phone number for example) Firebase assigns a new UID and if the backend has registered the old UID will never have a way to identify the user is the same !!!!. One solution would be for Firebase to return the same user id if the user registered with the same phone. – lascarayf Jul 14 '18 at 02:33
-
Like @lascarayf said, fraudulent users can use that to make problems, after that delete their own account, and create other again using the same provider. This is a great lack of secury problem. Fraudulent users can use this feature to make a big mess in the systems. – Eduardo Yamauchi Aug 19 '20 at 15:51
2
You can now prevent users from deleting their own accounts by unchecking "Enable delete" in the Firebase console. This was available only in Cloud Identity Toolkit console before.
Using deleteUser() will throw an error "Firebase: Error (auth/admin-restricted-operation)."
Dharmaraj
- 47,845
- 8
- 52
- 84
-
The message on my account still says "Upgrade to Firebase Auth with Identity Platform to access this feature. Learn more" – mikep17 Sep 07 '22 at 02:06
-
2@mikep17 yes, you'll have to upgrade your project from https://console.cloud.google.com Once you enable Identity Platform. Checkout [this answer](https://stackoverflow.com/a/68829085/13130697) for more details. – Dharmaraj Sep 07 '22 at 03:54