How to Detect If The User Was Deleted from Firebase Auth

How can I detect if the user was deleted from Firebase auth?

You can achieve it by doing this inside appDelegate:

//Check if user does exists
    func checkUserAgainstDatabase(completion: @escaping (_ success: Bool, _ error: NSError?) -> Void) {
        guard let currentUser = Auth.auth()?.currentUser else { return }
        currentUser.getTokenForcingRefresh(true) { (idToken, error) in
            if let error = error {
                completion(false, error as NSError?)
                print(error.localizedDescription)
            } else {
                completion(true, nil)
            }
        }
    }

And you can do something like this after checking with the above function in didFinishLaunchingWithOptions:

If user does exist:

self.window?.rootViewController = self.storyboard?.instantiateViewController(withIdentifier: "CustomTabBarViewController")

else:

self.window?.rootViewController = self.storyboard?.instantiateViewController(withIdentifier: "WelcomeViewController")

And to test if it did work simply remove user manually from the Auth manager in the Firebase Console. So like this it should just show the welcome screen if user has been deleted.

Firebase Auth getCurrentUser() retrieves a deleted user

You can listen to AuthStateListener for FirebaseUser's state changes.

Why?, basically when you remove user from server or other device, it would still be valid in your current device because of it's token is not refreshed yet locally.

Find out about more here.

Doc states that:

There are some cases where getCurrentUser will return a non-null FirebaseUser but the underlying token is not valid.
This can happen, for example, if the user was deleted on another device and the local token has not refreshed.
In this case, you may get a valid user getCurrentUser but subsequent calls to authenticated resources will fail.

getCurrentUser might also return null because the auth object has not finished initializing.

If you attach an AuthStateListener you will get a callback every time the underlying token state changes. This can be useful to react to edge cases like those mentioned above.

Flutter firebase_auth detecting user deletion from firebase console

The userChanges stream responds to events that occur within the SDK itself, not general "realtime" events that occur elsewhere. The SDK documentation is a bit misleading on that point - it's not "realtime" like Realtime Database or Firestore. It's more fair to say that it's "reactive" to the change in state of the user, from the perspective of the SDK.

The stream will generate events when the user signs in or out. If the user account is deleted from the console, it will take up to an hour for that to reflect in the SDK, as it will only attempt to "refresh" the user within that period of time. It's not until that refresh happens that the SDK will consider the user "signed out".

How can i know if a user has been removed from firebase authentication Flutter

The Firebase Authentication client gets an ID token for the user, that is valid for one hour. Before that ID token expires (about 55 minutes after it is generated), the client tries to refresh the token. If the token can't be refreshed (for example: if you've deleted or disabled the account), the user will no longer be signed in on the client.

You can use an onAuthStateChanged listener to detect when this (and any other authentication state change) happens.

If you want the client to know of the change before that, you will have to use another mechanism to communicate the change. For example, it is quite common to also store the user profile in a database, such as Cloud Firestore or Realtime Database, and have the client listen to that too. You can update that database when you disable the user profile, and then (thanks to the realtime listeners of these databases) the update will be known on the client almost instantly.

If you also want to prevent the user from making any changes on the server once you delete/disable their account, you'll need to do that yourself. Their ID token is valid until it expires and can't be individually revoked, as that would sort'of defeat the purpose of such a bearer token.

So you'll typically also want to check against the user profile that you stored in the database, for example in the security rules of your databae.

When a Firebase user is deleted from Firebase console (after user login), it is not reflected in the application

When a user signs in to Firebase, they get an access/ID token that is valid for an hour. This ID token cannot be revoked, as that would require Firebase to perform a quite expensive check on each call.

So when you delete the user's account from the console, they may retain access for up to an hour, at which point they will need to refresh their token, which will fail (since you deleted their account). So their access will automatically disappear within an hour.

A few points:

If you want to lock the user out of the application before their ID token expires, you'll want to keep an additional list of banned UIDs somewhere. For example, if you're using a Firebase database, you can keep a global list of bannedUIDs, and add the UID to that. Then in your server-side security rules, you can check if the UID who's trying to access the database isn't banned.
If you delete the user's account, they can just sign up again and create a new account. For this reason it is typically better to disable their account, which accomplishes the same (they won't be able to get a new ID token after their current one expires), but prevents them from signing up again with the same credentials.

Also see:

the video Five tips to secure your app
User keeps login even if I delete the account
Why firebase user still signed in after I deleted it from firebase dashboard
Does deleting account from Firebase automatically logs user out?
User authentication persisted after having cancelled the user from console.firebase.google.com
Firebase user deleted but still logged in on device

Firebase - User still exist after delete

The Realtime Database is not the same as Authentication.

Deleting the user in Authentication will do the trick:

Sample Image

Firebase still retrieving authData after deletion

Deleting an account does not automatically expire the current session(s) for that account. Their current sessions will remain valid until they expire. You can set the session expiration interval in your Firebase Dashboard.

If you want to force the user to be logged out, call ref.unauth().

But in general you'll likely want to build authorization rules to prevent such users with valid tokens from deleted accounts to make changes to the data.

If you keep the user profiles in your database, you can check whether that record still exists in your security rules: root.child('users').child(auth.uid).exists().

Also see:

Firebase authentication not revoked when user deleted?
Deletion of User in firebase does not trigger onAuth method

Deleted Firebase User still can authenticate

How long did you wait after reinstalling the app? If you reinstalled the app shortly after uninstalling it, this is the expected behavior on iOS.

The reason for this is manyfold, so I'll list a few bits of how Firebase Authentication below:

Firebase Authentication uses two tokens to authenticate the user, a long-lived refresh token, and a short-lived ID token.
The ID token is valid for one hour from when it is minted. Once minted, an ID token can't be revoked, which is why Firebase doesn't have to perform an expensive extra check on every interaction.
The ID token is persisted on the device, so that restarting the app can quickly pick up the user's authentication state, as long as the token has not expired.
On iOS the ID token is stored in the user's keychain, which is not automatically deleted when you delete an app. See Firebase - Deleting and reinstalling app does not un-authenticate a user

Give it another hour or so, and you should see that the user is no longer authenticated. Alternatively, don't delete the user account, but disable it both in Firebase Authentication and in the back-end service that you're using. For an example of this see Firebase still retrieving authData after deletion and five tips to secure your app.