Firebase Logout User All Sessions

Firebase logout user all sessions

When i had this issue i resolved it with cloud functions
Please visit this link for more details https://firebase.google.com/docs/auth/admin/manage-sessions#revoke_refresh_tokens

Do the following;

  1. Set up web server with firebase cloud functions (if none exists)
  2. use the admin sdk(thats the only way this method would work) - [Visit this link] (
    (https://firebase.google.com/docs/admin/setup#initialize_the_sdk).
  3. Create an api that receives the uid and revokes current sessions as specified in the first link above
  admin.auth().revokeRefreshTokens(uid)
    .then(() => {
      return admin.auth().getUser(uid);
    })
    .then((userRecord) => {
      return new Date(userRecord.tokensValidAfterTime).getTime() / 1000;
    })
    .then((timestamp) => {
      //return valid response to ios app to continue the user's login process
  });

Voila users logged out. I hope this gives insight into resolving the issue

How to logout all sessions once user deleted from auth firebase service?

When a user signs in to Firebase Authentication they get back an ID token that is valid for one hour. Until that token expires, there is no way to revoke it - at least not without changing the key that is used to sign all tokens.

This means that there is no way for the server to terminate existing sessions instantly.

Instead the common way to instantly lock out users is:

  1. Send a signal to the clients that they need to refresh the token, which will sign out those clients - and prevent them from signing in again. This of course won't stop a malicious user from trying to use the existing token, so...

  2. Check server-side whether the user account was deactivated before performing a sensitive operation. You can do this against the Firebase Authentication Admin SDK, but more common is to store the UIDs of recently deactivated accounts in the database you use, and then check in security rules or code.

For an example of this see the documentation on checking for ID token revocation.

Firebase logout all accounts when user change password

You have to logout and login regularly to check if the credentials save on the device are still valid. Depending on your security requirements you have to decide how often you do this. The most restrictive way would be before every Firebase call, the least restrictive would be when your app becomes active. I would:

  • introduce a last password check Date entry in UserDefaults
  • introduce a timeoutconstant (5 minutes)
  • save Date() when logging in
  • write a wrapper around calls, that compares the time interval in between now and last password check with timeout
  • if timeinterval > timeout, re-login

Automatically signout users using Firebase

I also struggled with that issue. Unfortunately, with the default implementation of Firebase Auth it isn't possible anymore to change the duration of the refresh token.

You could solve it by using a timeout for an hour and then logging the user manually out.

this.firebaseAuth.onAuthStateChanged((user) => {
    let userSessionTimeout = null;

    if (user === null && userSessionTimeout) {
      clearTimeout(userSessionTimeout);
      userSessionTimeout = null;
    } else {
      user.getIdTokenResult().then((idTokenResult) => {
        const authTime = idTokenResult.claims.auth_time * 1000;
        const sessionDurationInMilliseconds = 60 * 60 * 1000; // 60 min
        const expirationInMilliseconds = sessionDurationInMilliseconds - (Date.now() - authTime);
        userSessionTimeout = setTimeout(() => this.firebaseAuth.signOut(), expirationInMilliseconds);
      });
    }
  });

How do I sign out users in Firebase 3.0?

In JavaScript you can sign out the user with:

firebase.auth().signOut().then(function() {
  console.log('Signed Out');
}, function(error) {
  console.error('Sign Out Error', error);
});

How do I disable an logout a user with firebase function?

Being signed-in to Firebase is based on an ID token. By default such a token is valid for an hour from the moment it was minted, and the token itself cannot be invalidated during that time.

The user will remain authenticated (for up to an hour) until their ID token needs to be refreshed. At that point they'll be logged out and won't be able to log in again.

If you want to block their access before that ID token refresh, you will need to do that through some other mechanism, for example by keeping a list of disabled UIDs and checking against that.

I recommend checking out the Firebase documentation on managing user sessions, specifically the section on detecting ID token revocation.

This topic has been covered before, so I recommend checking out:

  • Firebase Authentication State Change does not fire when user is disabled or deleted
  • Why firebase user still signed in after I deleted it from firebase dashboard
  • Deleted user has access to Firebase Firestore
  • And other questions on [firebase-authentication] disabled or deleted user still being signed in

Related Topics

Turn Off CSS3 Animation with Jquery

How to Use Feature Detection to Know If Browser Supports Border-Radius? (Including IE9)

Determine If Point Is Within Bounding Box

JavaScript - Page Has to Be Refreshed to Show Particle-Slider Logo Effect

How to Display Select Options as Buttons

Laravel 8 + Nginx - App.CSS and App.Js Resources from Public/ Not Loading - 404 Not Found

Alert, Confirm, and Prompt Not Working After Using History API on Safari, iOS

Fiill the Space Between Two Text Elements with Dots

JavaScript to Print Contents of Only Specific <Div>

Trigger a Click on a Different Element When Clicking an Other Div

Handling JavaScript Events in Wkwebview

Start a CSS Animation on Button Click

List of All Background Images in Dom

Gulp Less Not Handling Includes Properly, Included Variables Not Defined

Detect Mouse Cursor Type

Settimeout in React Native

How to Parse CSS Font Shorthand Format

How to Remove an Existing Class Name and Add a New One with Jquery and Cookies


Leave a reply



Submit