从 console.firebase.google.com 取消用户后,用户身份验证仍然存在 [英] User authentication persisted after having cancelled the user from console.firebase.google.com
问题描述
如果我直接从 Firebase 控制台中删除用户,该用户在我的 Android 设备上仍然拥有有效数据.
If I delete a user directly from my Firebase Console, this user still have a valid data on my Android Device.
当然,如果我随后访问了无法按预期工作的 firebase 资源(例如实时数据库).
Of course if I then access firebase resources (e.g. Realtime Database) that doesn't work as expected.
但这会导致客户端错位,因为如果我有有效的用户数据,我会为经过身份验证的用户显示特定的 UI,而如果我没有经过身份验证的用户,我会显示另一个 UI.
But this cause a misalignment in the client because if I have valid user data I show a specific UI for authenticated users, instead if I have no user authenticated I show another UI.
我该如何处理这种情况?
How could I manage this situation?
我发现了什么,但我现在不知道如果这没问题或者是一种解决方法是在我的 FirebaseUser 上调用 reload().
what I've found, but I don't now if that is okay or is a workaround is to call the reload() on my FirebaseUser.
从文档来看,这应该抛出和异常,但这并没有发生.发生的情况是我的用户引用变为空:
From the documentation this should throw and Exception but that doesn't happen. What happens is that my user reference become null:
private void initializeUI(FirebaseUser user) {
user.reload();
if (null != user) {
mUser = user;
} else {
// User must have been disabled or deleted from console
}
我在这里调用 initializeUI:
I call initializeUI here:
@Override
public void onAuthStateChanged(@NonNull final FirebaseAuth firebaseAuth) {
FirebaseUser user = firebaseAuth.getCurrentUser();
if (null != user) {
initializeSignInUI(user);
} else {
initializeSignOutUI();
}
}
更多信息:
如果我打开我的应用程序,用户在客户端仍然活着.身份验证用户的触发器被触发,在这里,我可以使用上面的代码来管理这种情况.但我不知道这是否真的是一种解决方法或正确的做法.
If I open my App the user is still alive on client side. The trigger for authentication user is fired and here, with my code above I can manage the situation. But I don't know if this is actually a workaround or the right practice.
编辑 2只是为了重新表述我的问题:
EDIT 2 Just to reformulate my question:
此方法运行良好:
public boolean validUser(FirebaseUser user) {
boolean validUser = false;
if (null != user) {
try {
user.reload();
if (null != user) {
validUser = true;
}
} catch (Exception e) {
//} catch (FirebaseAuthInvalidUserException e) {
validUser = false;
}
}
return validUser;
}
我可以认为这是一个有效的解决方案还是其他最佳实践?此解决方案仅适用于 FirebaseAuth,无需与 FirebaseDatabase 交互.每次必须检查用户身份验证时,我都可以调用此方法.
Could I consider that a valid solution or there'a another best practice? This solution works only with FirebaseAuth without the need of interact with FirebaseDatabase. I can call this method every time have to check the user authentication.
推荐答案
如果您的用户已登录,在您的应用程序中并且您正在从 Firebase 控制台手动删除它,该用户将保持活动状态,直到令牌刷新.因此,最多大约一个小时,用户将保持经过身份验证.因此,如果您想立即限制用户的访问权限,则需要将其注销.
If your user is logged in, in your applicaiotn and you are manually deleting it from the Firebase Console, the user will remain active, till the token will be refreshed. So for about at most an hour, the user will remain authenticated. So if you want to restrict the access of a user instantly, you need to sign him out.
但还有另一种解决方法,您可以在 Firebase 数据库中创建一个名为 usersToLogOut 的新节点,并将所有用户 ID 添加为 keys 和布尔值 true 作为值.数据库应如下所示:
But there is another workaround, in which you can create a new node in your Firebase database named usersToLogOut and add there all the user ids as keys and the boolean true as a value. The database should look like this:
Firebase-root
|
--- usersToLogOut
|
--- uid1: true
|
--- uid2: true
下一步,当您手动删除该帐户时,您需要在该节点下添加用户的uid.您还需要使用 Firebase 安全规则来撤销未经授权用户的访问权限.规则应如下所示:
The next step, when you detele that account manually, you need to add the uid of the user under this node. You need to also to use, Firebase Security Rules, to revoke access for unauthorized users. The rules should look like this:
{
"rules": {
"usersToLogOut": {
".read": true,
".write": false
},
"posts": {
".read": "auth != null && !root.child('usersToLogOut').child(auth.uid).exists()"
}
}
}
编辑 1:
根据你的编辑,你说:我在这里问的不是如何从他/她那里保护我的数据库,而是我检查它是否已被删除但这是更简单的方法您可以通过使用上述规则来实现这一点.如果您从控制台手动删除用户,这并不意味着您将删除所有内容,包括数据库记录.你需要自己做这件事.所以最简单的方法就是使用规则.
According to your edit, you say: what I'm asking here is not how to secure my DB from him/her but I to check that It has been deleted but this the easier way way in which you can achieve this, by using the rules above. If you delete the user manually from the console this doesn't mean that you are deleteing everything with it, including database records. You need to do this your self. So the simplest way is to use rules.
此外,如果您删除所有用户记录,那么您可以添加一个侦听器并强制他退出,但这意味着您需要在数据库中搜索所有记录并相应地删除它们.第一个解决方案更简单,因为您只需要在数据库中添加一条记录即可!
Additionally, if you delete all user records, then you can add a listener and force him sign-out but this means that you need to search into you database for all records and remove them accordingly. The first solution is easier, because you only need to add a single record in your database and that's it!
编辑 2:
当您手动删除用户时,这并不意味着 firebaseUser 对象将为 null,因此检查无效性没有任何意义,因为用户仍将通过身份验证,直到下一次令牌刷新.所以要解决这个问题,你需要使用 Firebase 规则来限制访问.
When you are deleting a user manually this doesn't mean that the firebaseUser object will be null, so to check for nullity it does not make any sense because the user will still be authenticated till the next token refresh. So to solve this, you need to use Firebase rules to restrict the access.
因此您的代码将始终有效.我想说的是,在您从控制台手动删除用户到刷新令牌的时间之间,用户仍然可以访问您的应用程序的时间可能长达一个小时,就算他被删了.要停止这种情况,在那一小时内,您需要使用上述解决方案.
So your code will always work. What I was trying to say is that between the time in which you delete the user manually from the console and the time in which you get refreshed token, it can be up to an hour in which the user will still have access to your app, even if he is deleted. To stop this, for that hour, you need to use the solution above.
根据 OP 的评论编辑 3:
您的代码运行良好并且将始终有效,但问题是,即使您从控制台删除用户,他仍然可以访问数据库,直到下一次令牌刷新.是的,用户将能够访问数据库.该令牌将在大约一个小时内有效,如果您不想要,您可以限制使用安全规则,在那个小时内用户不再具有访问权限.
Your code works well and will always work but the problem is, even if you delete the user from the console he will still have accees to the database till the next token refresh. And yes, the user will be able to access the database. That token will be valid for about an hour and if you do not want that, you can restrict using the security rules and in that hour the user not have access anymore.
换句话说,如果您也从客户端删除它并且它无效并且如果其他人被盗",则此令牌可以使用它来访问数据库.不是使用您的应用的用户,而是可能窃取了该令牌的人.
With other words if you delete it also from client side and if it is not valid and if someone else has 'stolen' this token could use it to access the DB. Not the user who is using your app but someone that could have stolen that token.
这篇关于从 console.firebase.google.com 取消用户后,用户身份验证仍然存在的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
