Firebase logout user all sessions
When i had this issue i resolved it with cloud functions
Please visit this link for more details https://firebase.google.com/docs/auth/admin/manage-sessions#revoke_refresh_tokens
Do the following;
- Set up web server with firebase cloud functions (if none exists)
- use the admin sdk(thats the only way this method would work) - [Visit this link] (
(https://firebase.google.com/docs/admin/setup#initialize_the_sdk). - Create an api that receives the uid and revokes current sessions as specified in the first link above
admin.auth().revokeRefreshTokens(uid)
.then(() => {
return admin.auth().getUser(uid);
})
.then((userRecord) => {
return new Date(userRecord.tokensValidAfterTime).getTime() / 1000;
})
.then((timestamp) => {
//return valid response to ios app to continue the user's login process
});
Voila users logged out. I hope this gives insight into resolving the issue
How to logout all sessions once user deleted from auth firebase service?
When a user signs in to Firebase Authentication they get back an ID token that is valid for one hour. Until that token expires, there is no way to revoke it - at least not without changing the key that is used to sign all tokens.
This means that there is no way for the server to terminate existing sessions instantly.
Instead the common way to instantly lock out users is:
Send a signal to the clients that they need to refresh the token, which will sign out those clients - and prevent them from signing in again. This of course won't stop a malicious user from trying to use the existing token, so...
Check server-side whether the user account was deactivated before performing a sensitive operation. You can do this against the Firebase Authentication Admin SDK, but more common is to store the UIDs of recently deactivated accounts in the database you use, and then check in security rules or code.
For an example of this see the documentation on checking for ID token revocation.
Firebase logout all accounts when user change password
You have to logout and login regularly to check if the credentials save on the device are still valid. Depending on your security requirements you have to decide how often you do this. The most restrictive way would be before every Firebase call, the least restrictive would be when your app becomes active. I would:
- introduce a
last password check
Date
entry inUserDefaults
- introduce a
timeout
constant (5 minutes) - save
Date()
when logging in - write a wrapper around calls, that compares the time interval in between
now
andlast password check
withtimeout
- if
timeinterval
>timeout
, re-login
Automatically signout users using Firebase
I also struggled with that issue. Unfortunately, with the default implementation of Firebase Auth
it isn't possible anymore to change the duration of the refresh token.
You could solve it by using a timeout for an hour and then logging the user manually out.
this.firebaseAuth.onAuthStateChanged((user) => {
let userSessionTimeout = null;
if (user === null && userSessionTimeout) {
clearTimeout(userSessionTimeout);
userSessionTimeout = null;
} else {
user.getIdTokenResult().then((idTokenResult) => {
const authTime = idTokenResult.claims.auth_time * 1000;
const sessionDurationInMilliseconds = 60 * 60 * 1000; // 60 min
const expirationInMilliseconds = sessionDurationInMilliseconds - (Date.now() - authTime);
userSessionTimeout = setTimeout(() => this.firebaseAuth.signOut(), expirationInMilliseconds);
});
}
});
How do I sign out users in Firebase 3.0?
In JavaScript you can sign out the user with:
firebase.auth().signOut().then(function() {
console.log('Signed Out');
}, function(error) {
console.error('Sign Out Error', error);
});
How do I disable an logout a user with firebase function?
Being signed-in to Firebase is based on an ID token. By default such a token is valid for an hour from the moment it was minted, and the token itself cannot be invalidated during that time.
The user will remain authenticated (for up to an hour) until their ID token needs to be refreshed. At that point they'll be logged out and won't be able to log in again.
If you want to block their access before that ID token refresh, you will need to do that through some other mechanism, for example by keeping a list of disabled UIDs and checking against that.
I recommend checking out the Firebase documentation on managing user sessions, specifically the section on detecting ID token revocation.
This topic has been covered before, so I recommend checking out:
- Firebase Authentication State Change does not fire when user is disabled or deleted
- Why firebase user still signed in after I deleted it from firebase dashboard
- Deleted user has access to Firebase Firestore
- And other questions on [firebase-authentication] disabled or deleted user still being signed in
Related Topics
Turn Off CSS3 Animation with Jquery
How to Use Feature Detection to Know If Browser Supports Border-Radius? (Including IE9)
Determine If Point Is Within Bounding Box
JavaScript - Page Has to Be Refreshed to Show Particle-Slider Logo Effect
How to Display Select Options as Buttons
Laravel 8 + Nginx - App.CSS and App.Js Resources from Public/ Not Loading - 404 Not Found
Alert, Confirm, and Prompt Not Working After Using History API on Safari, iOS
Fiill the Space Between Two Text Elements with Dots
JavaScript to Print Contents of Only Specific <Div>
Trigger a Click on a Different Element When Clicking an Other Div
Handling JavaScript Events in Wkwebview
Start a CSS Animation on Button Click
List of All Background Images in Dom
Gulp Less Not Handling Includes Properly, Included Variables Not Defined
How to Parse CSS Font Shorthand Format
How to Remove an Existing Class Name and Add a New One with Jquery and Cookies