用户删除后 Firebase 身份验证未撤销? [英] Firebase authentication not revoked when user deleted?

问题描述

我遇到了 Firebase 使用电子邮件/密码简单登录的奇怪行为:如果我使用现有用户帐户登录，则可以写入 Firebase 引用(即 $root/list/$item).如果没有，我没有预期的写入权限(Firebase 规则似乎没问题)，但是，如果客户端已登录，同时我从 Firebase Forge(身份验证页面)中删除了一个用户，则连接的客户端仍然具有对 Firebase ref 的写访问权限！是设计使然还是错误?谢谢.

I've encountered a strange behavior of the Firebase simple login with email/password: If I login with an existing user account I'm able to write to a Firebase ref (i.e. $root/list/$item). If not, I have no write access as expected (Firebase rules seem to be OK), BUT if a client is logged in, and I meanwhile delete a user from Firebase Forge (Auth page), the connected client has still write access to the Firebase ref! Is it by design or is it a bug? Thanks.

规则如下:

{
  "rules": {
    ".read": true,
    "list": {
      "$item": {
        ".write": "auth != null && newData.child('author').val() == auth.id",
        ".validate": "newData.hasChildren(['author', 'content'])",
        "author": {
          ".validate": "newData.val() == auth.id"
        },
        "content": {
          ".validate": "newData.isString()"
        }
      }
    }
  }
}

推荐答案

简短回答:设计使然，或更准确地说，不适用于这种情况.

Short answer: by design, or more accurately, not applicable in this case.

在身份验证期间，FirebaseSimpleLogin 会生成一个令牌.一旦令牌被提供给客户端，它在到期之前一直有效.因此，当您在简单登录中删除用户帐户时，这不会以某种方式转到客户端的计算机并删除令牌.这是一个非常标准的身份验证模型，令牌上的过期长度(可在 Forge 中配置)是安全性的关键约束.

During auth, FirebaseSimpleLogin generates a token. Once the token is given to a client, it remains valid until it expires. Thus, when you delete the user account in simple login, this does not somehow go to the client's machine and remove the token. This is a pretty standard auth model, and the expiration length on the token (configurable in Forge) is the key constraint for security.

如果您想立即撤销登录，那么简单登录不是适合该工作的工具.您需要使用自定义登录并生成您自己的令牌.有一些很棒的关于可撤销令牌的讨论，所以我会让你听那些，因为这超出了你的问题的范围.

If you want to revoke logins immediately, then simple login is not the right tool for the job. You'll want to use custom login and generate your own tokens. There are some great discussions on revokable tokens, so I'll defer you to those, since that's outside the purview of your question.

这篇关于用户删除后 Firebase 身份验证未撤销?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！