当 Firebase 用户从 Firebase 控制台中删除时(用户登录后),它不会反映在应用程序中 [英] When a Firebase user is deleted from Firebase console (after user login), it is not reflected in the application
问题描述
user.uid 仍然存在(在这个 uid != null 的帮助下,我假设用户已登录).
The user.uid is still coming (with the help of this uid != null, I am assuming the user is logged in).
我也试过addAuthStateListener(mAuthListener),但我仍然得到之前删除的用户的 UID.
I also tried addAuthStateListener(mAuthListener), but I am still getting UID of the previously deleted user.
不使用数据库跟踪被禁止或删除的用户 ID 是否可以立即删除该用户.
Without using database track of banned or deleted user ids is it possible to remove that user instantly.
推荐答案
当用户登录 Firebase 时,他们会获得一个有效期为一小时的访问/ID 令牌.此 ID 令牌无法撤销,因为这需要 Firebase 对每次调用执行非常昂贵的检查.
When a user signs in to Firebase, they get an access/ID token that is valid for an hour. This ID token cannot be revoked, as that would require Firebase to perform a quite expensive check on each call.
因此,当您从控制台中删除用户的帐户时,他们可能会保留长达一个小时的访问权限,此时他们需要刷新他们的令牌,这将失败(因为您删除了他们的帐户).因此,他们的访问权限将在一个小时内自动消失.
So when you delete the user's account from the console, they may retain access for up to an hour, at which point they will need to refresh their token, which will fail (since you deleted their account). So their access will automatically disappear within an hour.
几点:
- 如果您想在用户 ID 令牌到期之前将其锁定在应用程序之外,您需要在某处保留一个额外的禁止 UID 列表.例如,如果您使用 Firebase 数据库,您可以保留
bannedUIDs的全局列表,并将 UID 添加到该列表中.然后在您的服务器端安全规则中,您可以检查尝试访问数据库的 UID 是否未被禁止. - 如果您删除用户的帐户,他们只需重新注册并创建一个新帐户即可.出于这个原因,通常最好禁用他们的帐户,这会实现相同的目的(他们在当前的 ID 令牌过期后将无法获得新的 ID 令牌),但会阻止他们使用相同的凭据再次注册.
- If you want to lock the user out of the application before their ID token expires, you'll want to keep an additional list of banned UIDs somewhere. For example, if you're using a Firebase database, you can keep a global list of
bannedUIDs, and add the UID to that. Then in your server-side security rules, you can check if the UID who's trying to access the database isn't banned. - If you delete the user's account, they can just sign up again and create a new account. For this reason it is typically better to disable their account, which accomplishes the same (they won't be able to get a new ID token after their current one expires), but prevents them from signing up again with the same credentials.
另见:
- 视频保护应用安全的五个技巧
- 即使我删除了帐户,用户仍然保持登录状态
- 为什么是 firebase 用户我从 firebase 仪表板中删除它后仍然登录
- 从 Firebase 中删除帐户是否会自动将用户注销?
- 用户身份验证在取消来自 console.firebase.google.com 的用户
- Firebase 用户已删除但仍登录设备
这篇关于当 Firebase 用户从 Firebase 控制台中删除时(用户登录后),它不会反映在应用程序中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
