当用户被禁用或删除时,Firebase身份验证状态更改不会触发 [英] Firebase Authentication State Change does not fire when user is disabled or deleted
问题描述
我正在使用 Firebase身份验证在我的Android应用中注册/使用Google,Facebook和电子邮件/密码。到目前为止,几乎一切正常,除了一个场景。
场景
我需要从Firebase控制台禁用或删除用户帐户才能禁止我的应用的某些用户。
在这种情况下,当我禁用或删除特定用户时,用户必须立即从应用程序注销,并且不能使用它进一步。
Bug
我已经使用 AuthStateListener 来监听身份验证状态更改,并在帐户被禁用或删除后立即自动注销用户。
<$ p firebaseAuth.getInstance()。addAuthStateListener(firebaseAuth - > {
if(firebaseAuth.getCurrentUser()== null){
Intent intent = AuthFlowActivity.getCallingIntent(AuthFlowActivity (Intent.FLAG_ACTIVITY_CLEAR_TASK);
startActivity(intent);
activityExitAnimation(BaseAppActivity.this);
}
;
intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK | Intent.FLAG_ACTIVITY_CLEAR_TASK) });
但是我从来没有见过AuthStateListener激发这些动作的任何事件。所以我无法立即注销用户,用户仍然可以继续使用该应用程序。
如果有人能帮助解决这个问题,我将不胜感激。禁用或删除用户帐户不会触发身份验证状态更改。用户也不应该被认证。在最多一小时内,Firebase身份验证将尝试刷新用户的访问令牌。该刷新将失败,在这一点上,用户将成为未经验证的身份验证状态更改事件将触发。
如果您要撤销用户的授权立即,你将不得不在你的应用程序逻辑的另一部分这样做。一个常用的方法是在你的应用程序中有一个黑名单,例如在 Firebase数据库中:
/ bannedUsers
uidOfBannedUser:true
在Autentication面板中删除/禁用一个用户的帐户,你也可以把他们的uid添加到数据库中被禁止的用户列表中。
然后可以保护数据库不受访问未经授权的用户,请在您的数据库安全规则中添加一个子句,例如
{
rules:{
bannedUsers:{
.read:true,
.write:false //只有管理员可以写这些
},
messages:{
.read:auth!= null&& root.child('bannedUsers')。child(auth.uid).exists()
}
}
}
如果您使用不同的后端,实现将会有所不同NT。但像这样的黑名单是禁止用户的常用方法。你会发现,你甚至可能只关心他们的身份验证,而不是删除他们的凭证(他们可以简单地重新创建),而只是禁止他们。
Under The Hood
I am using Firebase Authentication in my Android app to sign up/in users using Google, Facebook and Email/Password. So far, almost everything works fine except for a single scenario.
The Scenario
I need to disable or delete user accounts from the Firebase console sometimes to ban some users of my app.
In that case, when I disable or delete that particular user, the user must get logged out from the app instantly and should not be able to use it any further.
The Bug
I have used the AuthStateListener to listen for authentication state changes and log out the user automatically as soon as their account is disabled or deleted.
FirebaseAuth.getInstance().addAuthStateListener(firebaseAuth -> {
if (firebaseAuth.getCurrentUser() == null) {
Intent intent = AuthFlowActivity.getCallingIntent(AuthFlowActivity.FORCE_LOGOUT);
intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK | Intent.FLAG_ACTIVITY_CLEAR_TASK);
startActivity(intent);
activityExitAnimation(BaseAppActivity.this);
}
});
But I have never seen the AuthStateListener fire any events for these actions. So I am unable to log out the user instantly and the user can still keep on using the app.
I would appreciate if anyone can help in resolving this issue.
Disabling or deleting a user account does not fire an auth state change. Nor should it, the user is still authenticated. In at most an hour, Firebase Authentication will try to refresh the access token for the user. That refresh will fail, at which point the user will become unauthenticated and the auth state change event will fire.
If you're looking to revoke the user's authorization immediately, you will have to do so in another part of your application logic. A common way to do this is by having a blacklist in your application, e.g. in the Firebase Database:
/bannedUsers
uidOfBannedUser: true
Now when you delete/disable a user's account in the Autentication panel, you also add their uid to the list of banned users in the database.
The database can then be secured against access from unauthorized users by adding a clause to your database security rules, e.g.
{
"rules": {
"bannedUsers": {
".read": true,
".write": false // only admins can write these
},
"messages": {
".read": "auth != null && !root.child('bannedUsers').child(auth.uid).exists()"
}
}
}
If you use a different back-end, the implementation will be different. But a blacklist like this is a common approach to ban users. You'll find that you may even care little enough about their authentication that you only ban them, instead of deleting their credentials (which they could simply recreate).
这篇关于当用户被禁用或删除时,Firebase身份验证状态更改不会触发的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
