0

I have an iOS app that checks whether a user is already logged in by checking Auth.auth().currentUser. If this returns a non-null, the app 'automatically' logs the user into the app.

If I delete a user using Firebase admin tools, the iOS application will not know about the deletion. It will just check if Auth.auth().currentUser exists and if it does, it 'automatically' logs in. However, what is happening is that despite the deletion of a user (an anonymous user), the user is able to create documents in the database.

I have security rules to prevent this:

match /databases/{database}/documents {
    match /users/{userId} {
      allow read, write: if request.auth != null && request.auth.uid == userId;

      match /{document=**} {
        allow read, write: if request.auth != null && request.auth.uid == userId;
      }
    }
  }
}

How is it possible for a nonexistent user to have request.auth != null? The user does not exist in the "Authentication" tab.

Sure enough, if I reload the user it gives an error:

Auth.auth().currentUser.reload { error in }

There is no user record corresponding to this identifier. The user may have been deleted.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
kgaidis
  • 14,259
  • 4
  • 79
  • 93
  • Maybe there is some sort of a cache that lives for X amount of hours despite user being deleted? I will see whether I start getting authentication errors after some time... – kgaidis Jul 17 '21 at 23:11
  • The user's token will stay valid for up to one hour after it was last refreshed by the app. – Doug Stevenson Jul 18 '21 at 01:45

0 Answers0