How do I disable an logout a user with firebase function?

Question

Hey everyone Im trying to figuring out how I can disable and logout out a user correctly.

After researching I found out that in that way we disable the user .

   const user = await admin.auth().updateUser(userUid, {
      disabled: true,
    });

But the question I have is, what is if the user is still logged in in the app? I tried out and nothing happened, the user can still use the app after disabling him. So what can we do about that? I was thinking about logging the user out with firebase function. My app is written in flutter backend is firebase.

Answer 1

Being signed-in to Firebase is based on an ID token. By default such a token is valid for an hour from the moment it was minted, and the token itself cannot be invalidated during that time.

The user will remain authenticated (for up to an hour) until their ID token needs to be refreshed. At that point they'll be logged out and won't be able to log in again.

If you want to block their access before that ID token refresh, you will need to do that through some other mechanism, for example by keeping a list of disabled UIDs and checking against that.

I recommend checking out the Firebase documentation on managing user sessions, specifically the section on detecting ID token revocation.

This topic has been covered before, so I recommend checking out:

• Firebase Authentication State Change does not fire when user is disabled or deleted
• Why firebase user still signed in after I deleted it from firebase dashboard
• Deleted user has access to Firebase Firestore
• And other questions on [firebase-authentication] disabled or deleted user still being signed in