Home > Back-end >  Firebase database call working even when Authenticated user is disabled
Firebase database call working even when Authenticated user is disabled

Time:05-29

I use Firebase Firestore and Firebase Authentication in my project.

I am testing out what would happen if I go into firebase console and manually click the "Disable account".

firebase console

I would expect that if the account is suspended, the authenticated user ([email protected] in this case) will immediately receive error whenever a Firestore database is called (eg. getDocs(q) or setDoc()). The reason behind this assumption is that I assume Firestore tries to authenticate each call before doing CRUD.

However, after testing out, here is the test and result

  1. Login user ([email protected])
  2. Do a db read or write ensure everything works which it does
  3. Go to firebase console and disable the account ([email protected]).
  4. Try to do another db read or write. The result here is that I was able to still read and write which is not what I expected.

So here are my questions

  1. Is this a normal behavior?
  2. Can I write Firebase security rule to overcome this issue?
  3. It would be less idea if I have to check if user is logged in everytime I do a firestore call. But if that is what I have to do, how can I do that. I believe getAuth()and onAuthStateChanged is not really suitable in this case. Reason being getAuth() seems to only check the database the first time it is called. Any subsequence call it only checks the app memory and do not perform any network request at all (Verified by looking into console network tab). Which is kinda weird. And onAuthStateChanged does not listen to firebase state change, it only listens to if my app logs a user in or out.

Abit of background on what I am trying to achieve

  • I want to be able to lock a user out from my app by changing something from the db. And ideally not having to PING every few second .

Update:

It seems like it takes about 1-2 hour for my app to automatically recognise that the account has been disabled. It took takes alot longer than what I anticipated. I would still like to know if there is a better solution rather than wait though.

CodePudding user response:

It may take a few minutes for the change to propagate. How long have you waited?

CodePudding user response:

Firebase Authentication works with a combination of long-lived refresh tokens and short-lived ID tokens. The latter tokens are valid for one hour from the moment they are minted, and cannot be made invalid after they are minted.

So it may take up to an hour before your client gets a new token, and detects that its account has been disabled. You can force the client to update its ID token at any time by calling getIDToken(true). This will ensure the client has an updated ID token, but it won't invalidate the older ID token (since it's impossible to invalidate a bearer token).

What you'll want to do is write the UID or ID token to your database when you disable the user account, and then check for that in your security rules.

Also see the Firebase documentation on detecting token revocation.

  • Related