How To Check Whether User is Disabled or Not in Firebase Auth
You can check the state by FirebaseAuth.getInstance().getCurrentUser().reload();
or FirebaseUser.reload()
- The code Manually refreshes the data of the current user (for example, attached providers, display name, and so on).
In Android Java, if 1st the email account is disabled in Firebase Authentication Dashboard && (2nd) in your Android code the above .reload() is made, then the next FirebaseAuth.getInstance().getCurrentUser();
call will return a null.
OR
FirebaseAuthInvalidUserException
thrown if the current user's account has been disabled, deleted, or its credentials are no longer valid
Use theFirebaseUser.reload() with an onCompleteListener and if this listener returns a failure, display a prompt and sign the user out or move to a login page
Edit: 20th April 2022
Since the answer is some kind of old, I'll add another approach that we have nowadays, which is by calling FirebaseUser#reload() method, which:
Manually refreshes the data of the current user (for example, attached providers, display name, and so on).
So when calling the reload()
method, it means that we reload the user's profile data from the Firebase server. Another thing to mention is that a FirebaseAuthInvalidUserException will be thrown if:
The current user's account has been disabled or deleted, or its credentials are no longer valid.
But remember, this also doesn't mean that auth state is changed. You need to call this method explicitly, for example, when the user opens the app. Also remember, that the method is asynchronous, it returns a Task object. So you need to attach a listener in order to get the new profile data from the server.
If you disable
or delete
a user account does not mean that it also fires an auth state change
. Nor should it, because the user is still authenticated in the application. You need to know that in at most an hour, Firebase Authentication
will try to refresh the access token for that particular user that was disabled or deleted. But in this case, that refresh will fail, at which point the user will become unauthenticated. This is the point at which the auth state change event will fire.
If you want to revoke the user's authorization immediately, you'll have to do so in another part of your application logic. A common practice when it comes to Firebase is to create a new node in your database called blacklist
that should look like this:
Firebase-root
|
--- bannedUsers
|
uidOfBannedUser: true
Now when you delete/disable a user's account in your Firebase console, you also need to add the corresponding UID to the list of banned users in the database.
The database can then be secured against access from unauthorized users with the help of Firebase Database Security Rules. This can be done by adding a clause to your database security rules like this:
{
"rules": {
"bannedUsers": {
".read": true,
".write": false // only admins can write these
},
"messages": {
".read": "auth != null && !root.child('bannedUsers').child(auth.uid).exists()"
}
}
}
If you use a different back-end, the implementation will be different. There can be orher more examples but a blacklist like this is a common approach to ban users. You'll find that you may even care little enough about their authentication that you only ban them, instead of deleting their credentials, which they could simply recreate.