Firebase deleted user is able to change data. How can I fix this without modifying application code?

Solution 1:

When a token is minted, it gets an expiration timestamp. This essentially says: "the information in this token is valid until ...". Deleting the user does not invalidate any existing tokens.

Keep in mind that since the newest Firebase Authentication SDKs, the tokens are only valid for one hour. So after at most an hour, the token will expire and it will be impossible for the deleted user to refresh it.

If this is not enough for your application, you can add logic to your application that marks the deleted users in the database (in a section that only the administrator can access):

/deletedUsers
  209103: true
  37370493: true

You can then in your security rules validate that only non-deleted users can access data:

".read": "!root.child('deletedUsers').child(auth.uid).exists()"