I'm make an app with a Firebase Auth, but when I delete or when I disable an account I need make a signOut() manually (I control this with a user reload), if I don't, the user can keep uploading data. How I can fix this without the app code?
Firebase rules
{
"rules": {
"users": {
"$uid": {
".read": "auth != null && auth.uid == $uid",
".write": "auth != null && auth.uid == $uid"
}
}
}
}
App Code - How I detect it
if(user != null) user.reload().addOnCompleteListener(this, new OnCompleteListener<Void>() {
@Override
public void onComplete(@NonNull Task<Void> task) {
if(!task.isSuccessful()) {
String exc = task.getException().getMessage();
Log.e("FireBaseUser", exc);
auth.signOut();
}
}
});
When a token is minted, it gets an expiration timestamp. This essentially says: "the information in this token is valid until ...". Deleting the user does not invalidate any existing tokens.
Keep in mind that since the newest Firebase Authentication SDKs, the tokens are only valid for one hour. So after at most an hour, the token will expire and it will be impossible for the deleted user to refresh it.
If this is not enough for your application, you can add logic to your application that marks the deleted users in the database (in a section that only the administrator can access):
/deletedUsers
209103: true
37370493: true
You can then in your security rules validate that only non-deleted users can access data:
".read": "!root.child('deletedUsers').child(auth.uid).exists()"