在 firebase 中删除用户不会触发 onAuth 方法 [英] Deletion of User in firebase does not trigger onAuth method

问题描述

当用户通过登录和登录的注册用户部分被删除时Auth firebase Web 界面，不会触发 onAuth 方法，用户保持登录状态并能够写入数据库.如何确保用户的会话被销毁，然后用户被删除?

When a user is deleted via the Registered Users section of the Login & Auth firebase web interface, the onAuth method is not triggered and the user remains logged in and able to write to database. How can one ensure that the user's session is destroyed then the user is deleted?

推荐答案

安全规则.

当用户被删除时，他们不会立即未经身份验证.但是，您可以编写安全规则，以保护私人数据免受不再存在的用户的侵害.

When a user is deleted they are not immediately unauthenticated. However, you can write your security rules in a way that protects private data from users who no longer exist.

以下数据为例.

{
  "privateData": "only authenticated and existing users can read me!,
    "users": {
      "user1": "Alice",
      "user2": "Bob"
    }
  }
}

在这种情况下，我们只希望 /users 列表中的用户有权访问 /privateData 位置.一个简单的 auth != null 会起作用，直到其中一个用户被删除.

In this situation we only want users in the /users list to have access to the /privateData location. A simple auth != null would work, until one of the users is removed.

{
   "rules": {
     "privateData": {
        ".read": "auth != null && auth.uid == root.child('users').child(auth.uid).exists()",
        ".write": "auth != null && auth.uid == root.child('users').child(auth.uid).exists()"
     }
   }
}

上述规则不仅会检查经过身份验证的用户，还会检查该用户是否存在于 /users 位置.

The rules above not only check for an authenticated user, but they also check that the user exists in the /users location.

令牌将过期，他们将无法再登录.但是通过强大的安全规则，您可以保证他们不再访问任何数据.

The token will expire and they will no longer be able to login. But with robust security rules you can guarantee they have no longer have access to any data.

这篇关于在 firebase 中删除用户不会触发 onAuth 方法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！