如何在 Firebase Auth 中检查用户是否被禁用 [英] How To Check Whether User is Disabled or Not in Firebase Auth

问题描述

我有一个使用 Firebase Auth 实现的登录系统，但是每当我禁用任何用户时，他/她仍然可以登录.

I have a Login System implemented using Firebase Auth, But Whenever I Disable any user he/she can still be logged.

但是当他/她退出并自己登录他/她时，则禁用系统正在工作.

But When he/she log out and login him/her by themselves, then the disable system is working.

那么我应该怎么做每次检查用户是否被禁用?有什么功能什么的吗?

So what should I do to check every time, whether a user is disabled or not? Is there any function or something?

谢谢.

推荐答案

如果您disable 或 delete 一个用户帐户并不意味着它也会触发一个 身份验证状态更改.也不应该，因为用户仍在应用程序中进行身份验证.您需要知道，在最多一个小时内，Firebase 身份验证 将尝试刷新被禁用或删除的特定用户的访问令牌.但在这种情况下，刷新将失败，此时用户将变得未经身份验证.这是将触发 auth 状态更改事件的点.

If you disable or delete a user account does not mean that it also fires an auth state change. Nor should it, because the user is still authenticated in application. You need to know that in at most an hour, Firebase Authentication will try to refresh the access token for that particular user that was disabled or deleted. But in this case that refresh will fail, at which point the user will become unauthenticated. This is the point in which the auth state change event will fire.

如果您想立即撤销用户的授权，则必须在应用程序逻辑的另一部分执行此操作.Firebase 的常见做法是在您的数据库中创建一个名为 blacklist 的新节点，它应该如下所示:

If you want to revoke the user's authorization immediately, you'll have to do so in another part of your application logic. A common practice when it comes to Firebase is to create a new node in your database called blacklist that should look like this:

Firebase-root
   |
   --- bannedUsers
          |
          uidOfBannedUser: true

现在，当您在 Firebase 控制台中删除/禁用用户帐户时，您还需要将相应的 uid 添加到数据库中的禁止用户列表中.

Now when you delete/disable a user's account in your Firebase console, you also need to add the corresponding uid to the list of banned users in the database.

然后可以在 Firebase 数据库安全规则的帮助下保护数据库免受未经授权用户的访问.这可以通过在您的数据库安全规则中添加一个子句来完成，如下所示:

The database can then be secured against access from unauthorized users with the help of Firebase Database Security Rules. This can be done by adding a clause to your database security rules like this:

{
  "rules": {
    "bannedUsers": {
      ".read": true,
      ".write": false // only admins can write these
    },
    "messages": {
      ".read": "auth != null && !root.child('bannedUsers').child(auth.uid).exists()"
    }
  }
}

如果使用不同的后端，实现会有所不同.可以有更多的例子，但像这样的黑名单是禁止用户的常用方法.您会发现您甚至可能不太关心他们的身份验证，以至于您只是禁止他们，而不是删除他们的凭据，他们可以简单地重新创建凭据.

If you use a different back-end, the implementation will be different. There can orher more examples but a blacklist like this is a common approach to ban users. You'll find that you may even care little enough about their authentication that you only ban them, instead of deleting their credentials, which they could simply recreate.

这篇关于如何在 Firebase Auth 中检查用户是否被禁用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！