If I open a website with firebase installed and i execute this
firebase.auth().currentUser.delete() in browser console after a user has logged in, the current user will be deleted. How can i prevent a user from calling the delete function. is there a way to disable this?
There is no way to prevent a user from deleting their Firebase Authentication account. But whether you expose such functionality in your app is of course up to you.
It sounds a bit like an XY problem. What app-level problem are you trying to accomplish by disabling users from deleting their Firebase Authentication account?
You can now prevent users from deleting their own accounts by unchecking "Enable delete" in the Firebase console. This was available only in Cloud Identity Toolkit console before.
Using deleteUser() will throw an error "Firebase: Error (auth/admin-restricted-operation)."
Related
Im using Flutter and Firebase. I am trying to figure out if there is a 'built in' way to detect when a Firebase account has been disabled, so that the Flutter app can react and sign out that user if they are logged in already?
I could accomplish this task by adding a 'isDisabled' property to the users document since I already listen for changes to that doc and if it becomes 'true' then log them out. This would require that two changes are made, the 'isDisabled' is set on user doc and account is marked disabled under Authentication.
It just seemed like there might be a more direct way to accomplish this task.
There is not really a more direct way. Firebase Auth is not "realtime". When an account is disabled, the SDK does not know about it immediately. In fact, the user's auth token will stay valid for up to another hour after the time it was disabled. When the token finally expires, the SDK will no long be able to refresh it, and the user will become signed out. Your code will then see that the user is signed out, and they will not be able to sign in again.
The way I set up my signin, I am using firebase auth custom tokens. After 5 tries the account is locked. However there still exists a security flaw.
Suppose a hacker comes along an implements his own javascript file. All he has to do is implement firebase signInWithEmailAndPassword function and try as many email/password combination as he likes and eventually he will be able to get both the username and password. Then from there, sign into my normal system and I would never be able to detect that I was hacked.
I believe I have to implement some sort of firebase security rules for this issue, but I do not know where to start and how to guard the firebase users. Is there a way to stop someone from implementing that function?
I looked at firebase security rules and it shows how to protect the firebase database. But that doesnt work for my purpose. I need it to protect the firebase authentication users.
The easiest and best solution is simply to disable all sign-in providers in the Firebase Console for your project. Custom auth is always enabled and can't be disabled.
You need to go to the "Authentication" section -> "SIGN-IN METHOD" -> "Sign-in provider".
https://firebase.corp.google.com/u/0/project/$PROJECT_ID/authentication/providers
If the user tries to create a password account, they will get an error operation-not-allowed.
I want to be able to force a use to relogin using the OAuth provider. I have tried deleting the services.resume.loginTokens, I tried deleting the AuthKey under the service itself in services.myService.accessToken but nothing works.
I also have searched through the OAuth package and looked at all the Accounts packages, but cannot find any code that allows me to force the user to relogin with the OAuth provider.
Does anyone have a clue?
Meteor has a login token, which is usually kept in the browser's local storage. This has a life of 3 months, and is how Meteor keeps the user logged in. If you simply call
Meteor.logout();
It will log the user out. If your routes check that the user is logged in, they will be forced to log in again
I know there is a way to log in anonymously with Google Firebase, but I haven't gotten it working. The issue I am having is that my app needs to be accessible on any device without logging into any account with the app.
It needs to have full control of the app's database, both reading and writing. This app isn't really meant for public use, so I am OK with anonymous authentication. I also should not have to click a button in order for it to authenticate, it should do it automatically. I tried adding the code that Google provides, but it still wont authenticate. It does work with a Google account.
Thanks!
It was an issue related to the database rules. The default rules are set so that only authenticated users are able to read and write to the database. I set both so that anyone can read or write to the database from any device without logging in.
I know how to remove registered users manually via web interface (which is also answered by this question). This can be done without providing user's password.
Is there a way to remove a user automatically without their password? I have only found removeUser API call which requires user's password.
It would help to simplify deployment for testing/stage environments.
There is no API to programmatically access the email/password users in Firebase.
For development purposes, you can delete them through the Login & Auth tab of your app's dashboard.