Hey everyone Im trying to figuring out how I can disable and logout out a user correctly.
After researching I found out that in that way we disable the user .
const user = await admin.auth().updateUser(userUid, {
disabled: true,
});
But the question I have is, what is if the user is still logged in in the app? I tried out and nothing happened, the user can still use the app after disabling him. So what can we do about that? I was thinking about logging the user out with firebase function. My app is written in flutter backend is firebase.
Being signed-in to Firebase is based on an ID token. By default such a token is valid for an hour from the moment it was minted, and the token itself cannot be invalidated during that time.
The user will remain authenticated (for up to an hour) until their ID token needs to be refreshed. At that point they'll be logged out and won't be able to log in again.
If you want to block their access before that ID token refresh, you will need to do that through some other mechanism, for example by keeping a list of disabled UIDs and checking against that.
I recommend checking out the Firebase documentation on managing user sessions, specifically the section on detecting ID token revocation.
This topic has been covered before, so I recommend checking out:
Firebase Authentication State Change does not fire when user is disabled or deleted
Why firebase user still signed in after I deleted it from firebase dashboard
Deleted user has access to Firebase Firestore
And other questions on [firebase-authentication] disabled or deleted user still being signed in
Related
In my web application users can choose between multiple authentication providers. The browser persists the authentication state, so that a user is already logged in after closing the browser and visiting the app later.
I can hook into firebase.auth.onAuthStateChanged(...) to get the user id and other stuff. But I can not find the authentication provider which was used by the user. I need to know whether it was Google-Authentication, Telephone-Authentication or what ever...
You can find more details about with which providers the user is signed in by looking at the providerData property. This is an array, as a single account can be associated with multiple providers.
If a user account is associated with multiple providers, there is no way in the auth state listener to determine which provider they signed in with this time around as far as I know. You'll have to record that fact yourself by determining which signInWith... method you call in your application code.
My Ionic 3 mobile app i'm currently building allows login with firebase using both Email/Password and Facebook providers.
Everything's working great - but when the user logs in, in order to have a 'remember me' function that prevents them having to log in every time the app is closed (closing the app fully, or the system kills it), i need to be able to get some sort of token, store it, then use it later to take them straight past the authentication screen.
I've managed this already, but currently i'm storing their email and password, and i know this is a horrible thing to do. (I'm using Ionic Storage).
Is there a way to get a token that represents a user, and can be used to re-authenticate them?
I know about custom token logins, but they can only be created in NodeJS using the admin SDK - is there any solution i can run directly on the phone?
Thanks.
I have an Angular2 application and NodeJS server. I got stuck on implementing logout.
If I simply use req.session.destroy(), it does not have any effect on the Angular2 side. Angular2 still thinks that user is logged in. (because when I call a method which returns data about logged in user, it still returns it - even though it needs req.session.user to return this data).
I saw some solutions for this problem, but all I saw was using localStorage (saving user in localStorage and then deleting it after clicking logout).
Is there any other more efficient way to tell Angular2 from NodeJS that the user has logged out and that the session has ended?
If you use web token for user validation for instance then it should be possible to reset the token to null once the user has logged out.
You could have a look at User Authentication using JWT for ideas on implementation
I am integrating FB Login in my website. For this purpose I am using Javascript SDK. Here are the steps which I am trying to follow.
User clicks on FB Login option, user is shown with POP UP by FB to enter his credentials.
FB sends response which includes accessToken, expire time etc.
After this user will see registration form dedicated to my website filled with email and other basic entries. He has to just choose some username and then click on signup.
As soon as user clicks on signup his details will be stored into DB, his username will be kept in session and he is signed in now.
User logs-out. Now, user again clicks on FB Login, if there is email already present in DB I am making the user log into my website by putting his username in session.
Here, are my questions now.
Shall I also store Access Token for the user in my DB in step 3? If yes then what will be the best encryption medium to send it to server-side?
Also, is there a need to store access token in cookie/session?
If answer to my Q1 is yes then will I be able to use the access token stored in DB to validate user if he uses FB Login again?
As far as I know once access token expires Javascript SDK will generate new access token. So, if user logs in after a long time then this validation might not be applicable.
Shall I also store Access Token for the user in my DB in step 3? If yes then what will be the best encryption medium to send it to server-side?
No, if you are not planning to do any automated tasks for the user with your server. In this case you'd need to change the access token to a long-lived token, but that's another thread.
Also, is there a need to store access token in cookie/session?
No, Facebook's JS SDK does all the access token handling for you.
If answer to my Q1 is yes then will I be able to use the access token stored in DB to validate user if he uses FB Login again?
No. You can save the Facebook User ID to your database, which is more constant than the email. Email can change, user id does not. So you should compare the user ID.
And just as a side-note:
Facebook also has a server-side login flow that should be used to authenticate the user. If you just use JS SDK to authenticate the user, it would be relatively easy to log in as any user imaginable from the client.
I'm having some trouble wrapping my head around Facebook login coupled with my api security-wise for a webapp I'm creating. What do I need to store in my database, ID, token, something hashed etc? My flow so far is as follows:
When a user visit my app they see a welcome text with a button saying "Login with Facebook".
They hit the Facebook-button, if the user do not exist a new row is created in the database. For now I'm storing the user's Facebook name, id and a hashed token with the combination of the two. And then store a cookie with the token.
If the user return later to visit the app, they get redirected to the app without going through the Facebook login, because the token is stored in the cookie, and the user is found in the database based on it.
If the user return to the app without a the cookie token. The user has to hit the login with Facebook-button again, but now the user exist in the database and based on the name and id, I can find the user and return the token for a cookie.
Step 4 however seem a bit unsecure. Based on the name and id I can find a token of a user and set it in my cookie, granted I know (or can find?) the name and the id of that user I want to exploit.
This is my flow. Am I approaching this wrong, do I have to use the Facebook SDK C# in my Web API for server-side validation regarding a access token of some sort?
Any tips, hints or pointers to another flow is very welcome aswell.
Here is my desired flow: