如何从应用程序远程强制注销 firebase auth 用户 [英] How to force logout firebase auth user from app remotely
问题描述
我有一个项目,它使用 firebase auth 和 firebaseUI 来验证用户.我已启用 Google、Facebook 和电子邮件提供商.我需要的是远程注销或禁用某些用户.
I have a project which uses firebase auth with firebaseUI to authenticate users. I have enabled Google, Facebook and email providers. What I need is to remotely logout or disable some of the users.
我希望用户在这样做时从应用程序注销.我尝试在 firebase 控制台中禁用用户,还使用了 firebase admin SDK (https://firebase.google.com/docs/auth/admin/manage-sessions) 以撤销刷新令牌.
I want the users to logout from the app on doing so. I tried disabling the user in the firebase console and also used the firebase admin SDK (https://firebase.google.com/docs/auth/admin/manage-sessions) to revoke the refresh tokens.
我等了超过 2 天,仍然注意到用户已登录并且可以访问 firestore 数据.
I waited for more than 2 days and still noticed that the user was logged in and could access the firestore data.
我也经历过并尝试过Firebase 在删除后仍在检索 authData
谁能指出我做错了什么?
Can anyone point to what I am doing wrong ?
推荐答案
您也不能远程强制用户注销.任何注销都必须在用户登录的设备上进行.
You also cannot remotely force a user to be signed out. Any sign out will have to happen from the device that the user is signed in on.
访问令牌一旦被铸造就无法撤销.这意味着即使您禁用了用户的帐户,他们也可能继续拥有长达一个小时的访问权限.
There is no way to revoke an access token once that is minted. This means that even if you disable the user's account, they may continue to have access for up to an hour.
如果这太长,诀窍(正如我在对您链接的问题的回答中所提到的)是在您的数据库(或其他地方)中维护一个被阻止用户的列表,然后在您的安全规则(或其他授权层).
If that is too long, the trick (as also mentioned in my answer to the question you linked) is to maintain a list of blocked users in your database (or elsewhere) and then check against that in your security rules (or other authorization layer).
例如在实时数据库中,您可以创建一个被阻止用户的 UID 列表:
For example in the realtime database, you could create a list of blocked user's UIDs:
banned_uids: {
"uid1": true
"uid2": true
}
然后在您的安全规则中检查:
And then check against that in your security rules with:
".read": "auth.uid !== null && !root.child('banned_uids').child(auth.uid).exists()"
这篇关于如何从应用程序远程强制注销 firebase auth 用户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
