即使我删除帐户,用户也保持登录状态 [英] User keeps login even if I delete the account
问题描述
我正在使用Firebase Auth制作一个应用程序,但是当我删除或禁用帐户时,我需要手动制作一个signOut()(我通过用户重新加载来控制),如果没有,则该用户可以继续上传数据.如何在没有应用代码的情况下解决此问题?
I'm make an app with a Firebase Auth, but when I delete or when I disable an account I need make a signOut() manually (I control this with a user reload), if I don't, the user can keep uploading data. How I can fix this without the app code?
Firebase规则
{
"rules": {
"users": {
"$uid": {
".read": "auth != null && auth.uid == $uid",
".write": "auth != null && auth.uid == $uid"
}
}
}
}
应用代码-如何检测
if(user != null) user.reload().addOnCompleteListener(this, new OnCompleteListener<Void>() {
@Override
public void onComplete(@NonNull Task<Void> task) {
if(!task.isSuccessful()) {
String exc = task.getException().getMessage();
Log.e("FireBaseUser", exc);
auth.signOut();
}
}
});
推荐答案
铸造令牌时,它将获得到期时间戳.这实际上表示:此令牌中的信息在...之前一直有效.".删除用户不会使任何现有令牌失效.
When a token is minted, it gets an expiration timestamp. This essentially says: "the information in this token is valid until ...". Deleting the user does not invalidate any existing tokens.
请记住,由于最新的 Firebase身份验证SDK ,因此令牌仅对一小时.因此,最多一个小时后,令牌将失效,并且已删除的用户将无法刷新令牌.
Keep in mind that since the newest Firebase Authentication SDKs, the tokens are only valid for one hour. So after at most an hour, the token will expire and it will be impossible for the deleted user to refresh it.
如果这对您的应用程序来说还不够,则可以在应用程序中添加逻辑,以在数据库中标记已删除的用户(在只有管理员可以访问的部分中):
If this is not enough for your application, you can add logic to your application that marks the deleted users in the database (in a section that only the administrator can access):
/deletedUsers
209103: true
37370493: true
然后您可以在安全规则中验证只有未删除的用户才能访问数据:
You can then in your security rules validate that only non-deleted users can access data:
".read": "!root.child('deletedUsers').child(auth.uid).exists()"
这篇关于即使我删除帐户,用户也保持登录状态的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
