当从Firebase控制台删除Firebase用户时(在用户登录后)，它不会反映在应用程序中 [英] When a Firebase user is deleted from Firebase console (after user login), it is not reflected in the application

问题描述

user.uid仍然会出现(借助于此uid != null，我假设用户已登录).

The user.uid is still coming (with the help of this uid != null, I am assuming the user is logged in).

我也尝试过addAuthStateListener(mAuthListener)，但是我仍在获取以前删除的用户的UID.

I also tried addAuthStateListener(mAuthListener), but I am still getting UID of the previously deleted user.

如果不使用数据库跟踪禁止或删除的用户ID，则可以立即删除该用户.

Without using database track of banned or deleted user ids is it possible to remove that user instantly.

推荐答案

当用户登录Firebase时，他们将获得一个有效期为一小时的访问/ID令牌.此ID令牌无法撤消，因为这将要求Firebase对每个调用执行相当昂贵的检查.

When a user signs in to Firebase, they get an access/ID token that is valid for an hour. This ID token cannot be revoked, as that would require Firebase to perform a quite expensive check on each call.

因此，当您从控制台删除用户的帐户时，他们可能会保留长达一个小时的访问权限，这时他们将需要刷新其令牌，这将失败(因为您删除了他们的帐户).因此他们的访问权限将在一个小时内自动消失.

So when you delete the user's account from the console, they may retain access for up to an hour, at which point they will need to refresh their token, which will fail (since you deleted their account). So their access will automatically disappear within an hour.

几点:

• 如果您想在用户的ID令牌过期之前将其锁定在应用程序之外，则需要将其他一些禁止的UID保留在某个位置.例如，如果您使用的是Firebase数据库，则可以保留bannedUIDs的全局列表，然后向其中添加UID.然后在服务器端安全规则中，可以检查尝试访问数据库的UID是否未被禁止.
• 如果您删除用户的帐户，他们可以再次注册并创建一个新帐户.出于这个原因，通常最好禁用他们的帐户，该帐户可以完成相同的操作(它们将在当前证书过期后将无法获得新的ID令牌)，但可以防止他们使用相同的凭据再次进行注册.

• If you want to lock the user out of the application before their ID token expires, you'll want to keep an additional list of banned UIDs somewhere. For example, if you're using a Firebase database, you can keep a global list of bannedUIDs, and add the UID to that. Then in your server-side security rules, you can check if the UID who's trying to access the database isn't banned.
• If you delete the user's account, they can just sign up again and create a new account. For this reason it is typically better to disable their account, which accomplishes the same (they won't be able to get a new ID token after their current one expires), but prevents them from signing up again with the same credentials.

另请参阅:

• 视频保护应用安全的五个提示
• 即使我删除了帐户，用户仍保持登录状态
• 为什么使用Firebase用户从Firebase仪表板删除后仍保持登录状态
• 从Firebase删除帐户是否会自动注销用户? /a>
• 取消了来自console.firebase.google.com的用户
• > Firebase用户已删除，但仍在设备上登录

• the video Five tips to secure your app
• User keeps login even if I delete the account
• Why firebase user still signed in after I deleted it from firebase dashboard
• Does deleting account from Firebase automatically logs user out?
• User authentication persisted after having cancelled the user from console.firebase.google.com
• Firebase user deleted but still logged in on device

这篇关于当从Firebase控制台删除Firebase用户时(在用户登录后)，它不会反映在应用程序中的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！