2

I've manually deleted Firebase User, then removed the app from the device (physical iPhone) and then when I install it, it pass trough the auth check printing the deleted user email and all. This is the method I use to check if user exists

home: FutureBuilder<FirebaseUser>(future: Provider.of<AuthService>(context).getUser(),
      builder: (context, AsyncSnapshot<FirebaseUser> snapshot) {
    if (snapshot.connectionState == ConnectionState.done) {
    if (snapshot.error != null) {
    print('error');
    return Text(snapshot.error.toString());
    }
    user = snapshot.data;
    print(user.email);
    return snapshot.hasData ? HomeScreen(user, pos) : LoginScreen();
    } else {
    return LoadingCircle();
    }
    },
      )

How is this possible? Can anyone explain, please, why the user is still there when I deleted it from the Auth Users on Firebase?

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
i6x86
  • 1,557
  • 6
  • 23
  • 42
  • What exactly is that `snapshot`? – Doug Stevenson Sep 14 '19 at 20:20
  • Not home now and I can’t check but it’s a code I took from example showing how to auth fire base user. It was working fine till now. I mean previously I’ve deleted the app and the user and it was sending me to the login screen but now it bypass the auth check. – i6x86 Sep 14 '19 at 21:03
  • @DougStevenson https://api.flutter.dev/flutter/widgets/AsyncSnapshot-class.html? But for OP that leaves the question what `AuthService` is, as I can't find that in the Firebase Authentication SDK for Flutter: https://pub.dev/documentation/firebase_auth/latest/firebase_auth/firebase_auth-library.html. Is it what's described here https://dev.to/aaronksaunders/simple-firebase-login-flow-in-flutter-now-firebase-23nk? If so, can you please ensure the question includes the minimum code from there that is needed to reproduce the problem? – Frank van Puffelen Sep 14 '19 at 21:06
  • I’ve found the example https://dev.to/aaronksaunders/simple-firebase-login-flow-in-flutter-now-firebase-23nk – i6x86 Sep 14 '19 at 21:16
  • @FrankvanPuffelen yes it’s the same example. I’ll post more code tomorrow. – i6x86 Sep 14 '19 at 21:18

1 Answers1

10

How long did you wait after reinstalling the app? If you reinstalled the app shortly after uninstalling it, this is the expected behavior on iOS.

The reason for this is manyfold, so I'll list a few bits of how Firebase Authentication below:

  1. Firebase Authentication uses two tokens to authenticate the user, a long-lived refresh token, and a short-lived ID token.

  2. The ID token is valid for one hour from when it is minted. Once minted, an ID token can't be revoked, which is why Firebase doesn't have to perform an expensive extra check on every interaction.

  3. The ID token is persisted on the device, so that restarting the app can quickly pick up the user's authentication state, as long as the token has not expired.

  4. On iOS the ID token is stored in the user's keychain, which is not automatically deleted when you delete an app. See Firebase - Deleting and reinstalling app does not un-authenticate a user

Give it another hour or so, and you should see that the user is no longer authenticated. Alternatively, don't delete the user account, but disable it both in Firebase Authentication and in the back-end service that you're using. For an example of this see Firebase still retrieving authData after deletion and five tips to secure your app.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807