How to logout all sessions once user deleted from auth firebase service?

Question

I wrote the following code for Firebase funcations:

exports.deleteVolunteer = functions.firestore.document(`${COLLECTION_PREFIX}/users/{userPhoneNumber}`).onDelete(async (snap, context) => {
    const userPhoneNumber = context.params.userPhoneNumber;
    try {
        const userRecord = await admin.auth().getUserByPhoneNumber(userPhoneNumber);
        await admin.auth().deleteUser(userRecord.uid);
        console.log('Successfully deleted user with phone number: ' + userPhoneNumber);
    } catch (error) {
        console.log('Failed to delete user with phone number: ' + userPhoneNumber + ' with error ' + error);
    }
    return null;
});

Basically, once it see some document is removed in the cloud database, it removes the user from the auth service. I would like to exit all sessions from all devices that this user is logged in. As you can see the user connects to the app with a phone number. How can I do it?

Answer 1

When a user signs in to Firebase Authentication they get back an ID token that is valid for one hour. Until that token expires, there is no way to revoke it - at least not without changing the key that is used to sign all tokens.

This means that there is no way for the server to terminate existing sessions instantly.

Instead the common way to instantly lock out users is:

1. Send a signal to the clients that they need to refresh the token, which will sign out those clients - and prevent them from signing in again. This of course won't stop a malicious user from trying to use the existing token, so...

2. Check server-side whether the user account was deactivated before performing a sensitive operation. You can do this against the Firebase Authentication Admin SDK, but more common is to store the UIDs of recently deactivated accounts in the database you use, and then check in security rules or code.

For an example of this see the documentation on checking for ID token revocation.