I have created an Appcelerator iPhone app based on Firebase authentication, which works very well. But now I come across some unexpected behaviour.
My setup is as follows: on app start, the user must login or register. During registration, the account is created, and the corresponding account data (uid, name, email, date etc.) is also stored in a /users/uid data entry.
When I remove a user from Firebase through the Dashboard, by removing it from both /users/uid and the "Login & Auth" tab, it looks all clear. But when the user opens the app, he still remains logged in.
How can I enforce removing a user, where he is also logged out the next time he opens the app?
According to the Firebase Google Group, this is a known bug with Firebase:
This is a known bug on our end. As you noted, after deleting a user,
existing auth tokens are still valid and can be used to read and write
to your Firebase database. Security Rules are still enforced on these
tokens and that user will still only be able to access their own
Firebase data (if your rules are set up as such). Those auth tokens
will be valid until they expire. There is currently no workaround for
this bug although we are going to be fixing this in a future release.
https://groups.google.com/d/msg/firebase-talk/Yr_wn02q0bk/eTM9hop3paoJ
The only thing I can think to do is check whether you can read to your users area, and if there's nothing there, force a log out.
From your behavior it seems like there maybe a configuration issue or just a bug. Does the users information get removed from corresponding data-source (DB or in-memory store)? I would start there then move on to researching how the corresponding cookies/tokens work and contact their support.
Though perhaps you shouldn't out right delete the user, perhaps just disable the user therefore, accomplishing the same result? Maybe this behavior will work properly.
Related
Im using Flutter and Firebase. I am trying to figure out if there is a 'built in' way to detect when a Firebase account has been disabled, so that the Flutter app can react and sign out that user if they are logged in already?
I could accomplish this task by adding a 'isDisabled' property to the users document since I already listen for changes to that doc and if it becomes 'true' then log them out. This would require that two changes are made, the 'isDisabled' is set on user doc and account is marked disabled under Authentication.
It just seemed like there might be a more direct way to accomplish this task.
There is not really a more direct way. Firebase Auth is not "realtime". When an account is disabled, the SDK does not know about it immediately. In fact, the user's auth token will stay valid for up to another hour after the time it was disabled. When the token finally expires, the SDK will no long be able to refresh it, and the user will become signed out. Your code will then see that the user is signed out, and they will not be able to sign in again.
I have my firebase authentication set to prevent multiple accounts for the same email, but it doesn't seem to be doing that. See following pictures:
Has anybody experienced this issue before?
**Edit: Here's the details for reproducing this bug:
Pretty much the problem boils down to the updateEmail() function.
When a user signs up for my app I want to ensure I have an email for the user so searching for that user is easier. The problem is Facebook authentication doesn't ensure the user has an email for the following two reasons:
The user could have not allowed email permissions.
The user could have created their Facebook account only using a phone number.
Because of this, my
login code is somewhat complex but here's a link to my code with comments to explain everything (Note that I'm using custom Facebook/Google buttons which is why I had to manually do some stuff): Login Gist
If you look at the func getFBUserData() and see the comments above it, the bug is happening in the Case 1's first bullet point:
// 1) user's facebook does have email. This is common case
// - in this case, sign them into Firebase
// - could be that they previously didn't have email but now they do, so update Firebase user's email
This is the edge case where for some reason a user first didn't allow email permissions, then changed their minds and allowed them. What's interesting is that the code will still throw the .errorCodeEmailAlreadyInUse error, but the account will show up in the Firebase console as seen in the picture in the SO question and the following which I just did: http://imgur.com/yMjYXgH
I am on the edge to if I should try Firebase for my upcoming project, or stick with the good old SQL db. I have read through the docs, and I think I understand their deal, but there is one thing that's not clear to me; where is the user signed in?
Say I have a sign in page located at:
mywebsite.com/login.html
After the user has successfully logged in, I wish to redirect the user to the main panel which may be:
mywebsite.com/main.html
When the user is redirected, is he still signed in, and when does the authentication end? Thanks!
The user will stay signed in across page transitions. The information is retained in local storage of your browser.
The user will stay signed in until you sign them out explicitly, or until an even occurs that requires them to re-authenticate (such as trying to change their password).
Is it possible to disable authenticated user in timely matter like trial version for a certain days or hours? Is it possible to do it programmatically? If i'm not mistaken, I can't find a settings within Firebase Authentication Console..
When you hover over a use in the Firebase Auth panel of the Firebase Console, you can see an overflow menu. That menu contains the option to disable the user's account:
This will prevent the user from logging in in the future. It will not immediately disable their access to the app, since their current access token may still be valid for up to an hour. If you want to immediately prevent the user from accessing your app, you'll also want to implement a secondary authorization mechanism, such as keeping a list of banned users in the Firebase Database.
I've working on a Firebase application and created a number of dummy yet authenticated users and data. I like to wipe the hole thing clean and start over. I can do this with the data but not the authenticated users.
In forge it says that if I delete my firebase I won't be able to create a new one with the same name. Though not the end of the world I find this mildly irritating.
Is what I want to do possible?
If you're using Firebase Simple Login email / password authentication, you can log into Forge (at https://<your-firebase.firebaseio.com) and manually remove the users under the 'Auth' panel.
For all other authentication types in Firebase Simple Login (such as Facebook, Twitter, GitHub, Persona, etc.), no user data is persisted, and thus there is nothing to delete.
UPDATED as of Feb 12 2015.
its in the https://<your-firebase.firebaseio.com?page=Auth
at the bottom, you will see the Registered Users.