Firebase deleted user is able to change data. How can I fix this without modifying application code?

android firebase firebase-realtime-database firebase-authentication firebase-security

Solution 1:

When a token is minted, it gets an expiration timestamp. This essentially says: "the information in this token is valid until ...". Deleting the user does not invalidate any existing tokens.

Keep in mind that since the newest Firebase Authentication SDKs, the tokens are only valid for one hour. So after at most an hour, the token will expire and it will be impossible for the deleted user to refresh it.

If this is not enough for your application, you can add logic to your application that marks the deleted users in the database (in a section that only the administrator can access):

/deletedUsers
  209103: true
  37370493: true

You can then in your security rules validate that only non-deleted users can access data:

".read": "!root.child('deletedUsers').child(auth.uid).exists()"

Related

Swift Closures in for loop
How do I parse XML containing custom namespaces using SimpleXML? [duplicate]
how to compare list elements(type string) and string(in request scope) using struts 2 tags
Constraining the existing Boost.Spirit real_parser (with a policy)
BIOS int 10h printing garbage on QEMU
Why may Ubuntu Software not be opening on Ubuntu 20.04?
CD tray opens and closes occasionally. Sometimes at halfway
Make a Ubuntu Live USB without having it waste the whole USB?
How can I get BIG-IP Edge vpn for Ubuntu 18.10? Or can I use any alterantive?
What will happen to old version of python when I upgrade from 16.04 to 18.04?
How to edit UTF-8 files with vim
how do I fix these error ? $'\r': command not found in WSL [duplicate]