从console.firebase.google.com取消用户后,用户身份验证仍然存在 [英] User authentication persisted after having cancelled the user from console.firebase.google.com
问题描述
如果我直接从Firebase控制台删除用户,则该用户在我的Android设备上仍然有有效的数据.
If I delete a user directly from my Firebase Console, this user still have a valid data on my Android Device.
当然,如果我随后访问无法正常运行的Firebase资源(例如,实时数据库).
Of course if I then access firebase resources (e.g. Realtime Database) that doesn't work as expected.
但这会导致客户端不对齐,因为如果我有有效的用户数据,则会显示经过身份验证的用户的特定用户界面,而不是如果我没有经过身份验证的用户,则会显示另一个用户界面.
But this cause a misalignment in the client because if I have valid user data I show a specific UI for authenticated users, instead if I have no user authenticated I show another UI.
我该如何处理这种情况?
How could I manage this situation?
我所发现的内容,但是我现在不知道这是否可行或解决方法是在FirebaseUser上调用reload().
what I've found, but I don't now if that is okay or is a workaround is to call the reload() on my FirebaseUser.
从文档中可以抛出异常,但是不会发生.发生的情况是我的用户引用变为空:
From the documentation this should throw and Exception but that doesn't happen. What happens is that my user reference become null:
private void initializeUI(FirebaseUser user) {
user.reload();
if (null != user) {
mUser = user;
} else {
// User must have been disabled or deleted from console
}
我在这里调用initializeUI:
I call initializeUI here:
@Override
public void onAuthStateChanged(@NonNull final FirebaseAuth firebaseAuth) {
FirebaseUser user = firebaseAuth.getCurrentUser();
if (null != user) {
initializeSignInUI(user);
} else {
initializeSignOutUI();
}
}
更多信息:
如果我打开我的应用程序,则该用户仍在客户端运行.触发了身份验证用户的触发器,在这里,通过上面的代码,我可以管理这种情况.但是我不知道这实际上是解决方法还是正确的做法.
If I open my App the user is still alive on client side. The trigger for authentication user is fired and here, with my code above I can manage the situation. But I don't know if this is actually a workaround or the right practice.
编辑2 只是重新提出我的问题:
EDIT 2 Just to reformulate my question:
此方法运行良好:
public boolean validUser(FirebaseUser user) {
boolean validUser = false;
if (null != user) {
try {
user.reload();
if (null != user) {
validUser = true;
}
} catch (Exception e) {
//} catch (FirebaseAuthInvalidUserException e) {
validUser = false;
}
}
return validUser;
}
我可以认为这是一个有效的解决方案,或者还有另一种最佳实践?此解决方案仅适用于FirebaseAuth,而无需与FirebaseDatabase进行交互. 我每次必须检查用户身份验证时都可以调用此方法.
Could I consider that a valid solution or there'a another best practice? This solution works only with FirebaseAuth without the need of interact with FirebaseDatabase. I can call this method every time have to check the user authentication.
推荐答案
如果您的用户已登录,则在您的应用程序中,并且您正在从Firebase控制台中手动删除它,该用户将保持活动状态,直到刷新令牌为止.因此,最多大约一个小时,用户将保持身份验证.因此,如果您想立即限制用户的访问权限,则需要注销该用户.
If your user is logged in, in your applicaiotn and you are manually deleting it from the Firebase Console, the user will remain active, till the token will be refreshed. So for about at most an hour, the user will remain authenticated. So if you want to restrict the access of a user instantly, you need to sign him out.
但是还有另一种解决方法,您可以在Firebase数据库中创建一个名为usersToLogOut的新节点,并在其中添加所有用户ID作为keys和布尔值true作为值.数据库应如下所示:
But there is another workaround, in which you can create a new node in your Firebase database named usersToLogOut and add there all the user ids as keys and the boolean true as a value. The database should look like this:
Firebase-root
|
--- usersToLogOut
|
--- uid1: true
|
--- uid2: true
下一步,当您手动删除该帐户时,需要在该节点下添加用户的uid.您还需要使用Firebase安全规则来撤消未经授权的用户的访问.规则应如下所示:
The next step, when you detele that account manually, you need to add the uid of the user under this node. You need to also to use, Firebase Security Rules, to revoke access for unauthorized users. The rules should look like this:
{
"rules": {
"usersToLogOut": {
".read": true,
".write": false
},
"posts": {
".read": "auth != null && !root.child('usersToLogOut').child(auth.uid).exists()"
}
}
}
根据您的编辑,您说:what I'm asking here is not how to secure my DB from him/her but I to check that It has been deleted,但这是使用上述规则的一种更简单的方法来实现此目的.如果您从控制台手动删除用户,这并不意味着您要删除所有内容,包括数据库记录.您需要自己做.因此,最简单的方法是使用规则.
According to your edit, you say: what I'm asking here is not how to secure my DB from him/her but I to check that It has been deleted but this the easier way way in which you can achieve this, by using the rules above. If you delete the user manually from the console this doesn't mean that you are deleteing everything with it, including database records. You need to do this your self. So the simplest way is to use rules.
此外,如果删除所有用户记录,则可以添加一个侦听器并强制其注销,但这意味着您需要在数据库中搜索所有记录并相应地将其删除.第一种解决方案比较容易,因为您只需要在数据库中添加一条记录就可以了!
Additionally, if you delete all user records, then you can add a listener and force him sign-out but this means that you need to search into you database for all records and remove them accordingly. The first solution is easier, because you only need to add a single record in your database and that's it!
当您手动删除用户时,这并不意味着firebaseUser对象将是null,因此检查无效性没有任何意义,因为在下一次令牌刷新之前用户仍将通过身份验证.因此,要解决此问题,您需要使用Firebase规则来限制访问.
When you are deleting a user manually this doesn't mean that the firebaseUser object will be null, so to check for nullity it does not make any sense because the user will still be authenticated till the next token refresh. So to solve this, you need to use Firebase rules to restrict the access.
因此您的代码将始终有效.我要说的是,在您从控制台中手动删除用户的时间到您刷新令牌的时间之间,最多可能需要一个小时,用户仍然可以访问您的应用,即使他被删除了.要停止此操作,请在该小时内使用上面的解决方案.
So your code will always work. What I was trying to say is that between the time in which you delete the user manually from the console and the time in which you get refreshed token, it can be up to an hour in which the user will still have access to your app, even if he is deleted. To stop this, for that hour, you need to use the solution above.
根据OP的评论进行Edit3:
您的代码可以很好地工作,并且始终可以工作,但是问题是,即使您从控制台删除用户,在下一次刷新令牌之前,他仍将具有数据库访问权限.是的,用户将能够访问数据库.该令牌的有效期约为一个小时,如果您不希望这样做,则可以限制使用安全规则,并且在该小时内用户将不再具有访问权限.
Your code works well and will always work but the problem is, even if you delete the user from the console he will still have accees to the database till the next token refresh. And yes, the user will be able to access the database. That token will be valid for about an hour and if you do not want that, you can restrict using the security rules and in that hour the user not have access anymore.
换句话说,如果您也从客户端将其删除,并且该令牌无效,并且如果其他人被盗",则该令牌可以使用它来访问数据库.不是正在使用您的应用的用户,而是可能会窃取该令牌的用户.
With other words if you delete it also from client side and if it is not valid and if someone else has 'stolen' this token could use it to access the DB. Not the user who is using your app but someone that could have stolen that token.
这篇关于从console.firebase.google.com取消用户后,用户身份验证仍然存在的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
