I'm using Firebase Auth in my app. I wrote code in onStart()
.
private fun checkLogged() {
if (Firebase.auth.currentUser != null) {
startActivity(Intent(this@LoginActivity, MainActivity::class.java))
finish()
} else {
auth.signOut()
}
}
But when I disable or delete this user in the console, It's still logged in. How can I edit code correctly?
CodePudding user response:
When a user is successfully signed in with Firebase, then it receives a token that is valid for about an hour. If you disable a user in the Firebase console, it doesn't mean that the access is restricted too. No, the user can still have access for about an hour. After that period of time, the token that was previously generated needs to be refreshed, but the operation will fail since the user account is disabled. A disabled account cannot get a new token. So the user can still have access until the access will be automatically revoked.
If you want to remove that access before the token expires, then you should consider keeping an additional list of "banned" UIDs and maintaining it over time. For example, you can keep a global array of bannedUIDs in a Firestore document, and add the UID to that array. Then, in your security rules, you can check if that particular UID is banned or not. If that UID exists inside that array, then Firebase servers will reject the operation, otherwise, it can continue to use your app.