使用Firebase Auth Go SDK,有没有一种方法可以注销特定用户?

huangapple go评论84阅读模式
英文:

Is there a way to log out a specific user using firebase auth go sdk?

问题

这个问题的背景

我在我的应用程序中使用Firebase Auth进行用户身份验证。
我意识到Firebase没有记录用户信息更改的日志,所以我无法回答用户关于此的问题。
因此,我计划将更改用户帐户信息(如电子邮件、显示名称和密码)的功能从客户端Firebase Auth库移至服务器端Firebase Auth SDK,以便记录这些更改的日志以供用户支持使用。此外,我还希望在更改帐户信息的用户注销。

我在文档firebase.google.com/go/v4/auth中寻找适当的API,并找到了UpdateUser函数。作为UpdateUser的参数的结构体UserToUpdate可以设置新的电子邮件地址、新密码和新的显示名称,但我找不到设置参数以使用户注销的方法。

我的问题

有没有一种方法可以通过Firebase Auth Go SDK注销特定的用户?

英文:

background of this question

I'm using firebase auth for user authentication on my app.
I realized that firebase doesn't have a log of user information changes, so I can't answer user questions about it.
So, I'm planning to move the feature of changing user account info (like email, display name, and password) from using the client-side firebase auth library to using server-side firebase auth SDK for the purpose of taking logs of these changes to use for user support. Also, I'd like to make logout a user who changes account info.

I've looked for the appropriate API on the document firebase.google.com/go/v4/auth and found UpdateUser function. The struct UserToUpdate which is a parameter of UpdateUser can set a new email address, new password and new display name, but I can't find to set the parameter to make a user logout.

my question

Is there a way to log out a specific user by firebase auth go SDK?

答案1

得分: 1

Firebase身份验证的客户端登录基于ID令牌,这些令牌在其内置过期时间之前有效(默认情况下:在生成后的一小时内有效)。由于没有服务器保留其生成的所有ID令牌的列表,因此也没有办法在此列表上将令牌标记为无效。

撤销用户访问权限的常见方法是:

  1. 撤销“刷新”令牌,这样他们就无法使用它生成新的ID令牌。
  2. 将用户的ID令牌添加到自我管理的已撤销ID令牌列表中。
  3. 从服务器端代码和安全规则中检测此列表中是否存在ID令牌。
  4. 可选择在客户端上检测刷新令牌的撤销。

您可以选择强制刷新客户端上的ID令牌/配置文件,以从服务器获取最新信息,而无需注销用户。

英文:

Firebase Authentication's client-side sign-in is based on ID tokens, which are valid until their built-in expiration (by default: an hour after they are minted). Since no server keeps a list of all the ID tokens it has minted, there is no way to mark a token as invalid on such a list either.

The common approach to revoke access for a user is to:

  1. Revoke the refresh token, so that they can no longer mint new ID tokens with it.
  2. Add the ID token(s) of the user to a self-managed list of revoked ID tokens.
  3. Detect the presence of an ID token in this list from your server-side code and security rules.
  4. Optionally detect the refresh token revocation on the client

Instead of logging the user out, you can also force-refresh their ID token/profile on the client to get the latest information from the server.

huangapple
  • 本文由 发表于 2022年12月14日 08:55:32
  • 转载请务必保留本文链接:https://go.coder-hub.com/74792521.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定