background of this question

I'm using firebase auth for user authentication on my app. I realized that firebase doesn't have a log of user information changes, so I can't answer user questions about it. So, I'm planning to move the feature of changing user account info (like email, display name, and password) from using the client-side firebase auth library to using server-side firebase auth SDK for the purpose of taking logs of these changes to use for user support. Also, I'd like to make logout a user who changes account info.

I've looked for the appropriate API on the document firebase.google.com/go/v4/auth and found UpdateUser function. The struct UserToUpdate which is a parameter of UpdateUser can set a new email address, new password and new display name, but I can't find to set the parameter to make a user logout.

my question

Is there a way to log out a specific user by firebase auth go SDK?

CodePudding user response：

Firebase Authentication's client-side sign-in is based on ID tokens, which are valid until their built-in expiration (by default: an hour after they are minted). Since no server keeps a list of all the ID tokens it has minted, there is no way to mark a token as invalid on such a list either.

The common approach to revoke access for a user is to:

1. Revoke the refresh token, so that they can no longer mint new ID tokens with it.
2. Add the ID token(s) of the user to a self-managed list of revoked ID tokens.
3. Detect the presence of an ID token in this list from your server-side code and security rules.
4. Optionally detect the refresh token revocation on the client

Instead of logging the user out, you can also force-refresh their ID token/profile on the client to get the latest information from the server.