0

How do I in the best possible way remove a user and his/her profile (the profile has it's own node with the $uid as the key) in the best way in Firebase?

Should I just do a $remove() on the profile and then a $userRemove(), or is there a better way? If I have my rules setup properly I can't access the profile for a deletion after I deleted the user I guess, since only the user has write access to the profile.

"profiles": {
  "$uid": {
    // grants write access to the owner of this profile whose uid must exactly match the key ($uid)
    ".write": "auth !== null && auth.uid === $uid",
    // grants read access to any user who is logged in with an email and password
    ".read": "auth !== null && auth.provider === 'password'"
  }
}

This is how I figure it could be done, but what happens if one of the calls goes through and not the other, then it's an inconsistent user/profile left.

var firebaseObj = new Firebase(FBURL),
    Auth = $firebaseAuth(firebaseObj);

var profileObj = $firebase(firebaseObj.child('profiles').child(user.uid)).$asObject();

profileObj.$remove().then(function(data) {
    return Auth.$removeUser(user);
}).then(function(data) {
    console.log('successfully removed user and profile');
});

Note: I have not tested the code above, just wanted to get other peoples thoughts about how to do this and provide a rough example of how I could do it.

KungWaz
  • 1,918
  • 3
  • 36
  • 61

1 Answers1

1

Deleting the user will not invalidate the auth token and will not log the user out of the account. This is a common misconception with OAuth tokens--that tokens are some sort of real-time, living component that constantly monitors the server for changes. OAuth tokens are valid until they are revoked.

In Firebase, an OAuth token is revoked when:

  • the secret used to create it is revoked
  • the token expires

One can also effectively revoke access by adding a dependency in the data which is checked in security rules. In this way, access can be prevented to the data even though the existing token is still valid.

The ordering here would therefore not matter. You can delete the account and remove the record simultaneously without concern that the user would somehow lose access.

Also, this isn't a cascading remove, since one operation is removing user credentials (which are an encrypted hash of email/pass -> uid), and the other is physically deleting data from Firebase--these ops are completely independent and not at all related other than the constraints you've placed on the data for your app.

Community
  • 1
  • 1
Kato
  • 40,352
  • 6
  • 119
  • 149
  • Thanks for the reply, I know it's not a cascading remove I'm doing. Was just trying to figure out if there was a good way to do it or emulate it. The problem I am having is that when I do an unauth I get a problem with my Firebase connection with regards to the setup rules that only allow a user to access certain endpoints if they are logged in. If you have a minute over you could maybe tell me where I'm going wrong. I have an onauth listner where I try to destroy the connection to my profile. It's my profile and message connection that don't terminate correctly – KungWaz Feb 18 '15 at 20:53
  • Forgot this: https://KungWaz@bitbucket.org/KungWaz/edgeacademy.git Don't expect you to do my dirty work, but as I said, if you have the time the auth and message service is where my problem lies...At the moment I have read status tru on the profile and message endpoint in the Firebase rules. – KungWaz Feb 18 '15 at 20:55
  • 1
    The warning you receive when security rules are violated is benign--this simply means that you've lost access to the data (as expected). To prevent those, you would need to call `$destroy` on the synchronized array returned by `Message.getMessages()` , and probably call `off()` on the [amOnline](https://bitbucket.org/KungWaz/edgeacademy/src/eececf1884b0fcb231d12d4b4c31e3f9783ae123/src/services/online.service.js?at=master#cl-8) ref – Kato Feb 18 '15 at 22:41
  • Ok, so then I can ignore the error. But I still fail somehow when I try to do my destroy since I get the error :( – KungWaz Feb 24 '15 at 07:42