2

My application is a company-internal software. I want to enable all authenticated users to access all documents in the Firestore for tests. I ran into a mistake while doing this.

  1. The user logs in to the iOS app and has access to the documents.
  2. I delete the user from Firebase Auth (via Firebase console) As long as the user has the app open, he receives updates and can read and write.

Here is the code from the rules:

  rules_version = '2';
  service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read : if request.auth != null
      allow write: if request.auth != null
    }
  }
}

How can I prevent deleted users from continuing to have access?

Alex Mamo
  • 130,605
  • 17
  • 163
  • 193
Andreas
  • 25
  • 3

1 Answers1

2
  1. The user logs in to the iOS app and has access to the documents.

That's the expected behavior.

  1. I delete the user from Firebase Auth (via the console) As long as the user has the app open, he receives updates and can read and write.

When a user signs in with Firebase, he receives a token that is valid for about an hour. Unfortunately, such a token cannot be revoked, due to expensive checks on each call.

If you delete a user account right from the Firebase Console, the user can still have access for up to an hour. After that period of time, the token needs to be refreshed. But this operation will fail since that account doesn't exist anymore. So that access will automatically be disabled within an hour.

However, if you want to remove that access before the token expires, then you should consider keeping an additional list of banned UIDs and maintaining it over time. For instance, you can keep a global list/array of bannedUIDs into a document, and add the UID to that. Lastly, in your security rules, you can check if that particular UID is not banned. If that UID exists inside that list, then Firebase servers will reject the operation.

Edit:

Another option might be to disable the user account. This accomplishes the same as above and the user won't be able to get a new token after the current token expires. It also prevents the user from signing up again with the same credentials.

Alex Mamo
  • 130,605
  • 17
  • 163
  • 193
  • And how about instead of deleting account just disable it ? This will prevent immediately user ability to read write to database ? – Mises Jan 11 '22 at 07:00
  • 1
    @Mises Please check my updated answer. – Alex Mamo Jan 11 '22 at 07:05
  • Setting rule with will read document array with banned users is an extra read operation for database. Is there a way i can disable user and add him to banned users document then temporary set rules to check this banned list for an hour using admin SDK? Don't bother if you don't know it. I will check it by my self. I just wonder are you know is it possible. – Mises Jan 11 '22 at 08:22
  • 1
    @Mises Using the admin SDK, most likely it would be possible. – Alex Mamo Jan 11 '22 at 08:36