Firebase Authentication State Change Does Not Fire When User Is Disabled or Deleted

  • Home
  • Languages
  • Android
  • Firebase Authentication State Change Does Not Fire When User Is Disabled or Deleted

Firebase Authentication State Change does not fire when user is disabled or deleted

Disabling or deleting a user account does not fire an auth state change. Nor should it, the user is still authenticated. In at most an hour, Firebase Authentication will try to refresh the access token for the user. That refresh will fail, at which point the user will become unauthenticated and the auth state change event will fire.

If you're looking to revoke the user's authorization immediately, you will have to do so in another part of your application logic. A common way to do this is by having a blacklist in your application, e.g. in the Firebase Database:

/bannedUsers
    uidOfBannedUser: true

Now when you delete/disable a user's account in the Autentication panel, you also add their uid to the list of banned users in the database.

The database can then be secured against access from unauthorized users by adding a clause to your database security rules, e.g.

{
  "rules": {
    "bannedUsers": {
      ".read": true,
      ".write": false // only admins can write these
    },
    "messages": {
      ".read": "auth != null && !root.child('bannedUsers').child(auth.uid).exists()"
    }
  }
}

If you use a different back-end, the implementation will be different. But a blacklist like this is a common approach to ban users. You'll find that you may even care little enough about their authentication that you only ban them, instead of deleting their credentials (which they could simply recreate).

Firebase database call working even when Authenticated user is disabled

Firebase Authentication works with a combination of long-lived refresh tokens and short-lived ID tokens. The latter tokens are valid for one hour from the moment they are minted, and cannot be made invalid after they are minted.

So it may take up to an hour before your client gets a new token, and detects that its account has been disabled. You can force the client to update its ID token at any time by calling getIDToken(true). This will ensure the client has an updated ID token, but it won't invalidate the older ID token (since it's impossible to invalidate a bearer token).

What you'll want to do is write the UID or ID token to your database when you disable the user account, and then check for that in your security rules.

Also see the Firebase documentation on detecting token revocation.

How To Check Whether User is Disabled or Not in Firebase Auth

You can check the state by FirebaseAuth.getInstance().getCurrentUser().reload(); or FirebaseUser.reload() - The code Manually refreshes the data of the current user (for example, attached providers, display name, and so on).

In Android Java, if 1st the email account is disabled in Firebase Authentication Dashboard && (2nd) in your Android code the above .reload() is made, then the next FirebaseAuth.getInstance().getCurrentUser(); call will return a null.

OR

FirebaseAuthInvalidUserException thrown if the current user's account has been disabled, deleted, or its credentials are no longer valid

How do I disable an logout a user with firebase function?

Being signed-in to Firebase is based on an ID token. By default such a token is valid for an hour from the moment it was minted, and the token itself cannot be invalidated during that time.

The user will remain authenticated (for up to an hour) until their ID token needs to be refreshed. At that point they'll be logged out and won't be able to log in again.

If you want to block their access before that ID token refresh, you will need to do that through some other mechanism, for example by keeping a list of disabled UIDs and checking against that.

I recommend checking out the Firebase documentation on managing user sessions, specifically the section on detecting ID token revocation.

This topic has been covered before, so I recommend checking out:

  • Firebase Authentication State Change does not fire when user is disabled or deleted
  • Why firebase user still signed in after I deleted it from firebase dashboard
  • Deleted user has access to Firebase Firestore
  • And other questions on [firebase-authentication] disabled or deleted user still being signed in

How to get ID of disabled firebase user (during authentication)?

As far as I know the UID matching the credentials is not exposed in this error message, so you will have to look it up another way. The best I can think of is using the Admin SDK to find the user by their email address.

Detect account disable on Firebase Console

There is not really a more direct way. Firebase Auth is not "realtime". When an account is disabled, the SDK does not know about it immediately. In fact, the user's auth token will stay valid for up to another hour after the time it was disabled. When the token finally expires, the SDK will no long be able to refresh it, and the user will become signed out. Your code will then see that the user is signed out, and they will not be able to sign in again.

When a Firebase user is deleted from Firebase console (after user login), it is not reflected in the application

When a user signs in to Firebase, they get an access/ID token that is valid for an hour. This ID token cannot be revoked, as that would require Firebase to perform a quite expensive check on each call.

So when you delete the user's account from the console, they may retain access for up to an hour, at which point they will need to refresh their token, which will fail (since you deleted their account). So their access will automatically disappear within an hour.

A few points:

  • If you want to lock the user out of the application before their ID token expires, you'll want to keep an additional list of banned UIDs somewhere. For example, if you're using a Firebase database, you can keep a global list of bannedUIDs, and add the UID to that. Then in your server-side security rules, you can check if the UID who's trying to access the database isn't banned.
  • If you delete the user's account, they can just sign up again and create a new account. For this reason it is typically better to disable their account, which accomplishes the same (they won't be able to get a new ID token after their current one expires), but prevents them from signing up again with the same credentials.

Also see:

  • the video Five tips to secure your app
  • User keeps login even if I delete the account
  • Why firebase user still signed in after I deleted it from firebase dashboard
  • Does deleting account from Firebase automatically logs user out?
  • User authentication persisted after having cancelled the user from console.firebase.google.com
  • Firebase user deleted but still logged in on device

Related Topics

Practical Way to Find Out If Sms Has Been Sent

Dagger 2 Injecting Android Application Context

How to Hide the Share Action (Which Use Most) Icon Near the Share Action Provider

Why Is Onkey() Called Twice

Android Geocoder Quota Limits

Pop the Fragment Backstack Without Playing the Pop-Animation

How to Sign My Application with the System Signature Key

Android Gridview Keep Item Selected

In Android 4.4, Swiping App Out of Recent Tasks Permanently Kills Application with Its Service . Any Idea Why

Launching an Android Application from the Browser

Google Map Android API V2 Can't Display Map in Play Store Application

Android Studio 3.2.1 Artifactresolveexception: Could Not Resolve All Artifacts for Configuration ':Classpath'

Changing Gradient Background Colors on Android at Runtime

Textbox Hidden Below Keyboard in Android Webview

Android: How to Measure Total Height of Listview

Application Launch Count

Developing Two Android Apps and Communicating Between Two

Android UI Design: Supporting Multiple Screens


Leave a reply



Submit