Reputation: 1627
Deleted Firebase User still can authenticate
I've manually deleted Firebase User, then removed the app from the device (physical iPhone) and then when I install it, it pass trough the auth check printing the deleted user email and all. This is the method I use to check if user exists
home: FutureBuilder<FirebaseUser>(future: Provider.of<AuthService>(context).getUser(),
builder: (context, AsyncSnapshot<FirebaseUser> snapshot) {
if (snapshot.connectionState == ConnectionState.done) {
if (snapshot.error != null) {
print('error');
return Text(snapshot.error.toString());
}
user = snapshot.data;
print(user.email);
return snapshot.hasData ? HomeScreen(user, pos) : LoginScreen();
} else {
return LoadingCircle();
}
},
)
How is this possible? Can anyone explain, please, why the user is still there when I deleted it from the Auth Users on Firebase?
Upvotes: 2
Views: 2790
Answers (1)
Reputation: 598728
How long did you wait after reinstalling the app? If you reinstalled the app shortly after uninstalling it, this is the expected behavior on iOS.
The reason for this is manyfold, so I'll list a few bits of how Firebase Authentication below:
Firebase Authentication uses two tokens to authenticate the user, a long-lived refresh token, and a short-lived ID token.
The ID token is valid for one hour from when it is minted. Once minted, an ID token can't be revoked, which is why Firebase doesn't have to perform an expensive extra check on every interaction.
The ID token is persisted on the device, so that restarting the app can quickly pick up the user's authentication state, as long as the token has not expired.
On iOS the ID token is stored in the user's keychain, which is not automatically deleted when you delete an app. See Firebase - Deleting and reinstalling app does not un-authenticate a user
Give it another hour or so, and you should see that the user is no longer authenticated. Alternatively, don't delete the user account, but disable it both in Firebase Authentication and in the back-end service that you're using. For an example of this see Firebase still retrieving authData after deletion and five tips to secure your app.
Upvotes: 12
Related Questions
- How to delete firebase account when user data is deleted on flutter?
- Delete user account in firebase
- Why firebase user still signed in after I deleted it from firebase dashboard
- Current user id is persistent after signing out | Firebase Auth | Flutter Web
- Is it possible to delete a firebase user in flutter without having the users credentials
- Flutter Firebase - failing to properly delete a Google authenticated user
- Is it possible to delete currentUser firebase authentication user?
- Why is Firebase returning deleted account?
- Is there a way to delete a user from FirebaseAuth by their UID?
- Firebase user deleted but still logged in on device