0

Hey everyone Im trying to figuring out how I can disable and logout out a user correctly.

After researching I found out that in that way we disable the user .

   const user = await admin.auth().updateUser(userUid, {
      disabled: true,
    });

But the question I have is, what is if the user is still logged in in the app? I tried out and nothing happened, the user can still use the app after disabling him. So what can we do about that? I was thinking about logging the user out with firebase function. My app is written in flutter backend is firebase.

Michael m.
  • 161
  • 1
  • 3
  • 13

1 Answers1

1

Being signed-in to Firebase is based on an ID token. By default such a token is valid for an hour from the moment it was minted, and the token itself cannot be invalidated during that time.

The user will remain authenticated (for up to an hour) until their ID token needs to be refreshed. At that point they'll be logged out and won't be able to log in again.

If you want to block their access before that ID token refresh, you will need to do that through some other mechanism, for example by keeping a list of disabled UIDs and checking against that.

I recommend checking out the Firebase documentation on managing user sessions, specifically the section on detecting ID token revocation.

This topic has been covered before, so I recommend checking out:

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • hey thanks for the nice answer but i have a question about that. When we use security rules to disable read and write operations for users who inside the blacklist, this will propably be a bad user experience right? – Michael m. Jan 25 '22 at 08:48
  • That depends on how you implement it. For example, you could allow each user to read whether their token is present in the disallow list, and then notify them of that fact. You could also send them a message when you add them to the disallow list. – Frank van Puffelen Jan 25 '22 at 14:58
  • Thanks a lot Puff! – Michael m. Jan 25 '22 at 16:40