Android Studio: I am always logged in, although there are no users in my firebase and I check this with a function. Why?

Question

I write a code in which checks whether the user already exists and he does not log in again (would be annoying). I added this code to my LoginActivity because it would then have to jump into the AppStartActivity (the activity after logging in or registering) if it has already registered and logged in. However, I delete the user from the Firebase database and when I start the app again at the emulator, I am still in the AppStartActivity, although no account exists in the database, since I've deleted it. Why does this happen?

i check it if the user exists:

mAuthStateListener = new FirebaseAuth.AuthStateListener() {
            @Override
            public void onAuthStateChanged(@NonNull FirebaseAuth firebaseAuth) {

                FirebaseUser user = firebaseAuth.getCurrentUser();

                if (user != null) {
                    Intent switchToAppStartActivity = new Intent(getApplicationContext(), AppStartActivity.class);
                    startActivity(switchToAppStartActivity);
                }
            }
        };

but i delete all the users in firebase and still i switch to the Activity after the Login or Registration when i start the app on emulator. Why?

This is the whole code:

import android.content.Intent;
import android.support.annotation.NonNull;
import android.support.v7.app.AppCompatActivity;
import android.os.Bundle;
import android.view.View;
import android.widget.EditText;

import com.google.firebase.auth.FirebaseAuth;
import com.google.firebase.auth.FirebaseUser;

public class LoginActivity extends AppCompatActivity {

    EditText emailLogin;
    EditText passwordLogin;

    private FirebaseAuth mAuth;
    private FirebaseAuth.AuthStateListener mAuthStateListener;

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_login);

        emailLogin = (EditText) findViewById(R.id.emailLogin);
        passwordLogin = (EditText) findViewById(R.id.passwordLogin);

        mAuthStateListener = new FirebaseAuth.AuthStateListener() {
            @Override
            public void onAuthStateChanged(@NonNull FirebaseAuth firebaseAuth) {

                FirebaseUser user = firebaseAuth.getCurrentUser();

                if (user != null) {
                    Intent switchToAppStartActivity = new Intent(getApplicationContext(), AppStartActivity.class);
                    startActivity(switchToAppStartActivity);
                }
            }
        };

    }

        public void setupNewAccount (View view){
        Intent registrationActivity = new Intent(getApplicationContext(), EmailSignUpActivity.class);
        startActivity(registrationActivity);

    }
}

Answer 1

Firebase Authentication uses ID tokens, which are valid for an hour after they are minted. This prevents the need to revalidate the token on ever call, and significantly improves performance. But it does mean that it is normal that the user stays signed in until their ID token needs to be refreshed.

If you need to lock a user out of the app, you should probably implement a blacklisting mechanism, where you store their UID in a list of known bad users. This also prevents them from simply reregistering again to regain access.

Also see:

• Why firebase user still signed in after I deleted it from firebase dashboard
• Firebase authentication not revoked when user deleted?
• Deletion of User in firebase does not trigger onAuth method
• Firebase user deleted but still logged in on device
• Firebase Authentication State Change does not fire when user is disabled or deleted