I'm working on an angular app and I use Firebase to authenticate my users. I would like to know how I could prevent my users to give their account to other people. Also I would like to prevent people to use the same account to login from different devices at the same time. I found some very good tutorials to build a presence system, but these system doesn't prevent the same account to be used by many different people on several devices. I have been able to check if a user is trying tu use an account that is already in use (online) but I can't manage to log out one of those users (using an alreaydy online account..). I tried to call auth.signout() inside the signInwithemailAndPassword() method but it doesn't work, I don't succeed in logout the users. Thank you for your help. What I would need is a snippet because theorically, everything is very simple.
2 Answers
Since you didn't state what language you're using I'm just going to use Swift, but the principles behind what I laid out here are the same for any language.
Take a look at this question. It appears that Firebase does not directly support what you are looking for. You can however, do something like this:
Create a tree in your database that stores a boolean value for user signins.
SignedIn: {
uid1: {
"signedIn": true
}
uid2: {
"signedIn": false
}
.....
}
I'm assuming some where after authentication you change the screen. You'll now want to perform an additional query before doing that. If the user is already signed in you can display an alert, otherwise you can just continue as you always did.
func alreadySignedIn() {
if let uid = Auth.auth().currentUser?.uid {
Database.database().reference().child("SignedIn").child(uid).observeSingleEvent(of: .value, with: { snap in
if let dict = snap.value as? [String: Any] {
if let signedIn = dict["signedIn"] as? Bool {
if signedIn {
// display an alert telling the user only one device can use
// there account at a time
}
else {
// change the screen like normal
}
}
}
})
}
}
Of course this just prevents the account from being "shared" at the same time. You can make a stricter guideline if you only allow sign in based on a device id. For example you could get the device id and only allow sign in on that device. You'd have to allow users to update this when they get a new device, but if you really want to lock your accounts down this might be a better option.
- 6,594
- 3
- 39
- 62
-
1TY DoesData it inspired me to implement a solution in angular2 – cedric123 Dec 20 '17 at 21:27
-
If someone uses a solution like this make sure you understand that firebase will revoke authentication tokens after a user leaves the app and doesn't come back for a couple of weeks or so... this obviously can cause your server data to be out of sync and lockout someone. I'm currently searching for a solution to this – landnbloc Dec 09 '21 at 20:24
-
This can be practically implemented but what if someone deleted the app then the value will remain true as signed in and now if we will signin it will show the dialog. We have no user signed in to any device stills it will say the alert and user will not be able to sigin in again in future. – Sanny khan Dec 06 '22 at 11:10
-
Yes - that is a potential UX issue. There are several things you could do here to resolve this. First is to generate a UUID and save it in the keychain to identify the device. You would save this UUID with the signed in value so in this case the UUID matches so there is not issue. Another more simple option is to just ask the user if they want to sign out of all their other devices and you observe for that change in your app and sign the user out. – DoesData Dec 07 '22 at 17:33
- Actually, you can't prevent your user to share their account with other people.
- But, you can make sure your user can only sign in on only one device at the same time.
- Normally, you can't sign out an user who already login, unless you can notify your client about the message.
- But Just as @DoesData said, you can keep an sign in status data, and when the client visit the server, it can discover that it already be signed out, or others already singed in.
- 1,718
- 20
- 15