4

The user.uid is still coming (with the help of this uid != null, I am assuming the user is logged in).

I also tried addAuthStateListener(mAuthListener), but I am still getting UID of the previously deleted user.

Without using database track of banned or deleted user ids is it possible to remove that user instantly.

Joseph Samuel
  • 83
  • 1
  • 10
  • What do you mean by "The user.uid is still coming"? Where/how is it "coming"? Can you show us the code related to the problem? – camden_kid Mar 02 '19 at 12:57
  • 1
    Got the answer bro @camden_kid. If I delete the user from console the id token will be active for an hour – Joseph Samuel Mar 02 '19 at 19:23

1 Answers1

10

When a user signs in to Firebase, they get an access/ID token that is valid for an hour. This ID token cannot be revoked, as that would require Firebase to perform a quite expensive check on each call.

So when you delete the user's account from the console, they may retain access for up to an hour, at which point they will need to refresh their token, which will fail (since you deleted their account). So their access will automatically disappear within an hour.

A few points:

  • If you want to lock the user out of the application before their ID token expires, you'll want to keep an additional list of banned UIDs somewhere. For example, if you're using a Firebase database, you can keep a global list of bannedUIDs, and add the UID to that. Then in your server-side security rules, you can check if the UID who's trying to access the database isn't banned.
  • If you delete the user's account, they can just sign up again and create a new account. For this reason it is typically better to disable their account, which accomplishes the same (they won't be able to get a new ID token after their current one expires), but prevents them from signing up again with the same credentials.

Also see:

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807