[英]Firebase authentication not revoked when user deleted?
I've encountered a strange behavior of the Firebase simple login with email/password: If I login with an existing user account I'm able to write to a Firebase ref (ie $root/list/$item). 我遇到了使用电子邮件/密码登录Firebase简单登录的奇怪行为:如果我使用现有用户帐户登录,我可以写入Firebase ref(即$ root / list / $ item)。 If not, I have no write access as expected (Firebase rules seem to be OK), BUT if a client is logged in, and I meanwhile delete a user from Firebase Forge (Auth page), the connected client has still write access to the Firebase ref!
如果没有,我没有按预期的写访问权限(Firebase规则似乎没问题),但是如果客户端已登录,并且我同时从Firebase Forge(Auth页面)删除用户,则连接的客户端仍然可以写入访问权限。 Firebase参考! Is it by design or is it a bug?
它是设计还是错误? Thanks.
谢谢。
here are the rules: 这是规则:
{
"rules": {
".read": true,
"list": {
"$item": {
".write": "auth != null && newData.child('author').val() == auth.id",
".validate": "newData.hasChildren(['author', 'content'])",
"author": {
".validate": "newData.val() == auth.id"
},
"content": {
".validate": "newData.isString()"
}
}
}
}
}
Short answer: by design, or more accurately, not applicable in this case. 简短回答:按设计,或更准确,在这种情况下不适用。
During auth, FirebaseSimpleLogin generates a token. 在身份验证期间,FirebaseSimpleLogin会生成令牌。 Once the token is given to a client, it remains valid until it expires.
将令牌提供给客户端后,它将一直有效,直到它过期。 Thus, when you delete the user account in simple login, this does not somehow go to the client's machine and remove the token.
因此,当您在简单登录中删除用户帐户时,这不会以某种方式转到客户端的计算机并删除令牌。 This is a pretty standard auth model, and the expiration length on the token (configurable in Forge) is the key constraint for security.
这是一个非常标准的auth模型,令牌上的到期长度(在Forge中可配置)是安全性的关键约束。
If you want to revoke logins immediately, then simple login is not the right tool for the job. 如果要立即撤消登录,则简单登录不是该作业的正确工具。 You'll want to use custom login and generate your own tokens.
您将需要使用自定义登录并生成自己的令牌。 There are some great discussions on revokable tokens , so I'll defer you to those, since that's outside the purview of your question.
关于可撤销令牌有一些很好的讨论 ,所以我会把你推迟到那些,因为这超出了你的问题的范围。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.