如何从应用程序远程强制注销Firebase身份验证用户 [英] How to force logout firebase auth user from app remotely

问题描述

我有一个项目，该项目使用firebase auth和firebaseUI来对用户进行身份验证.我已经启用了Google，Facebook和电子邮件提供商.我需要的是远程注销或禁用某些用户.

I have a project which uses firebase auth with firebaseUI to authenticate users. I have enabled Google, Facebook and email providers. What I need is to remotely logout or disable some of the users.

我希望用户这样做退出应用程序.我尝试在Firebase控制台中禁用该用户，还使用了Firebase管理SDK( https: //firebase.google.com/docs/auth/admin/manage-sessions )撤消刷新令牌.

I want the users to logout from the app on doing so. I tried disabling the user in the firebase console and also used the firebase admin SDK (https://firebase.google.com/docs/auth/admin/manage-sessions) to revoke the refresh tokens.

我等待了2天以上，但仍然注意到该用户已登录并且可以访问Firestore数据.

I waited for more than 2 days and still noticed that the user was logged in and could access the firestore data.

我也经历了尝试 Firebase删除后仍在检索authData

谁能指出我做错了什么?

Can anyone point to what I am doing wrong ?

推荐答案

您也无法远程强制用户注销.任何注销都必须在用户登录的设备上进行.

You also cannot remotely force a user to be signed out. Any sign out will have to happen from the device that the user is signed in on.

一旦铸造出访问令牌，就无法撤消它.这意味着，即使您禁用了该用户的帐户，他们也可能继续拥有长达一个小时的访问权限.

There is no way to revoke an access token once that is minted. This means that even if you disable the user's account, they may continue to have access for up to an hour.

如果时间太长，诀窍(正如我对所链接问题的回答中所提到的)是维护数据库(或其他地方)中被阻止用户的列表，然后根据安全规则(或其他授权层).

If that is too long, the trick (as also mentioned in my answer to the question you linked) is to maintain a list of blocked users in your database (or elsewhere) and then check against that in your security rules (or other authorization layer).

例如，在实时数据库中，您可以创建被阻止用户的UID的列表:

For example in the realtime database, you could create a list of blocked user's UIDs:

banned_uids: {
  "uid1": true
  "uid2": true
}

然后使用以下命令检查您的安全规则中的内容:

And then check against that in your security rules with:

".read": "auth.uid !== null && !root.child('banned_uids').child(auth.uid).exists()"

这篇关于如何从应用程序远程强制注销Firebase身份验证用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！