分享程序员开发的那些事...
更新时间:2023-12-05 17:07:10
如果您的用户已登录,则在您的应用程序中,并且您正在从Firebase控制台中手动删除它,该用户将保持活动状态,直到刷新令牌为止.因此,最多大约一个小时,用户将保持身份验证.因此,如果您想立即限制用户的访问权限,则需要注销该用户.
If your user is logged in, in your applicaiotn and you are manually deleting it from the Firebase Console, the user will remain active, till the token will be refreshed. So for about at most an hour, the user will remain authenticated. So if you want to restrict the access of a user instantly, you need to sign him out.
但是还有另一种解决方法,您可以在Firebase数据库中创建一个名为usersToLogOut的新节点,并在其中添加所有用户ID作为keys和布尔值true作为值.数据库应如下所示:
But there is another workaround, in which you can create a new node in your Firebase database named usersToLogOut and add there all the user ids as keys and the boolean true as a value. The database should look like this:
Firebase-root
|
--- usersToLogOut
|
--- uid1: true
|
--- uid2: true
下一步,当您手动删除该帐户时,需要在该节点下添加用户的uid.您还需要使用Firebase安全规则来撤消未经授权的用户的访问.规则应如下所示:
The next step, when you detele that account manually, you need to add the uid of the user under this node. You need to also to use, Firebase Security Rules, to revoke access for unauthorized users. The rules should look like this:
{
"rules": {
"usersToLogOut": {
".read": true,
".write": false
},
"posts": {
".read": "auth != null && !root.child('usersToLogOut').child(auth.uid).exists()"
}
}
}
根据您的编辑,您说:what I'm asking here is not how to secure my DB from him/her but I to check that It has been deleted,但这是使用上述规则的一种更简单的方法来实现此目的.如果您从控制台手动删除用户,这并不意味着您要删除所有内容,包括数据库记录.您需要自己做.因此,最简单的方法是使用规则.
According to your edit, you say: what I'm asking here is not how to secure my DB from him/her but I to check that It has been deleted but this the easier way way in which you can achieve this, by using the rules above. If you delete the user manually from the console this doesn't mean that you are deleteing everything with it, including database records. You need to do this your self. So the simplest way is to use rules.
此外,如果删除所有用户记录,则可以添加一个侦听器并强制其注销,但这意味着您需要在数据库中搜索所有记录并相应地将其删除.第一种解决方案比较容易,因为您只需要在数据库中添加一条记录就可以了!
Additionally, if you delete all user records, then you can add a listener and force him sign-out but this means that you need to search into you database for all records and remove them accordingly. The first solution is easier, because you only need to add a single record in your database and that's it!
当您手动删除用户时,这并不意味着firebaseUser对象将是null,因此检查无效性没有任何意义,因为在下一次令牌刷新之前用户仍将通过身份验证.因此,要解决此问题,您需要使用Firebase规则来限制访问.
When you are deleting a user manually this doesn't mean that the firebaseUser object will be null, so to check for nullity it does not make any sense because the user will still be authenticated till the next token refresh. So to solve this, you need to use Firebase rules to restrict the access.
因此您的代码将始终有效.我要说的是,在您从控制台中手动删除用户的时间到您刷新令牌的时间之间,最多可能需要一个小时,用户仍然可以访问您的应用,即使他被删除了.要停止此操作,请在该小时内使用上面的解决方案.
So your code will always work. What I was trying to say is that between the time in which you delete the user manually from the console and the time in which you get refreshed token, it can be up to an hour in which the user will still have access to your app, even if he is deleted. To stop this, for that hour, you need to use the solution above.
根据OP的评论进行Edit3:
您的代码可以很好地工作,并且始终可以工作,但是问题是,即使您从控制台删除用户,在下一次刷新令牌之前,他仍将具有数据库访问权限.是的,用户将能够访问数据库.该令牌的有效期约为一个小时,如果您不希望这样做,则可以限制使用安全规则,并且在该小时内用户将不再具有访问权限.
Your code works well and will always work but the problem is, even if you delete the user from the console he will still have accees to the database till the next token refresh. And yes, the user will be able to access the database. That token will be valid for about an hour and if you do not want that, you can restrict using the security rules and in that hour the user not have access anymore.
换句话说,如果您也从客户端将其删除,并且该令牌无效,并且如果其他人被盗",则该令牌可以使用它来访问数据库.不是正在使用您的应用的用户,而是可能会窃取该令牌的用户.
With other words if you delete it also from client side and if it is not valid and if someone else has 'stolen' this token could use it to access the DB. Not the user who is using your app but someone that could have stolen that token.