为什么我从Firebase仪表板删除Firebase用户后仍登录 [英] Why firebase user still signed in after I deleted it from firebase dashboard
问题描述
我使用Firebase Quickstarts for Android Auth示例,然后在firebase仪表板中创建了一个用户,使用电子邮件和密码登录该用户,该用户已成功登录. 但是,当我删除用户时,它仍然登录并显示(user.getEmail())
I used Firebase Quickstarts for Android Auth sample, Then I created a user in firebase dashboard to login the user with email and password, the user logged in successfully. But when I deleted the user, it still logged in and showing the old user's email from (user.getEmail())
// [START auth_state_listener]
mAuthListener = new FirebaseAuth.AuthStateListener() {
@Override
public void onAuthStateChanged(@NonNull FirebaseAuth firebaseAuth) {
FirebaseUser user = firebaseAuth.getCurrentUser();
if (user != null) {
// User is signed in
Log.d(TAG, "onAuthStateChanged:signed_in:" + user.getEmail());
} else {
// User is signed out
Log.d(TAG, "onAuthStateChanged:signed_out");
}
// [START_EXCLUDE]
updateUI(user);
// [END_EXCLUDE]
}
};
// [END auth_state_listener]
我的Firebase仪表板中没有用户,而AuthStateListener则表明该用户已登录.
No users in my firebase dashboard and the AuthStateListener indecate that the user is signed in.
怎么可能?
推荐答案
删除帐户不会自动使该帐户的当前会话失效.他们当前的会话将保持有效,直到过期.您可以在Firebase信息中心中设置会话的过期时间间隔.
Deleting an account does not automatically expire the current session(s) for that account. Their current sessions will remain valid until they expire. You can set the session expiration interval in your Firebase Dashboard.
如果您要强制用户成为注销,致电ref.unauth().
但是,一般而言,您可能希望构建授权规则,以防止具有删除帐户的有效令牌的此类用户对数据进行更改.
But in general you'll likely want to build authorization rules to prevent such users with valid tokens from deleted accounts to make changes to the data.
用户更新电子邮件,密码或重设密码时. Firebase Auth后端吊销其令牌,要求它们重新进行身份验证或尝试再次登录.这是一项安全功能.例如,如果用户的帐户遭到破坏,则可以重置其密码.所有其他会话必须重新认证.
When a user updates their email, password or resets their password. Firebase Auth backend revokes their tokens requiring that they reauthenticate or try to sign in again. This is a security feature. For example a user may reset their password if their account was compromised. All other sessions must reauthenticate.
如果将用户配置文件保留在数据库中,则可以检查该记录是否仍存在于您的安全规则中:root.child('users').child(auth.uid).exists().
If you keep the user profiles in your database, you can check whether that record still exists in your security rules: root.child('users').child(auth.uid).exists().
另请参阅:
- Firebase authentication not revoked when user deleted?
- Deletion of User in firebase does not trigger onAuth method
这篇关于为什么我从Firebase仪表板删除Firebase用户后仍登录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
