英文:
Is there a way to log out a specific user using firebase auth go sdk?
问题
这个问题的背景
我在我的应用程序中使用Firebase Auth进行用户身份验证。
我意识到Firebase没有记录用户信息更改的日志,所以我无法回答用户关于此的问题。
因此,我计划将更改用户帐户信息(如电子邮件、显示名称和密码)的功能从客户端Firebase Auth库移至服务器端Firebase Auth SDK,以便记录这些更改的日志以供用户支持使用。此外,我还希望在更改帐户信息的用户注销。
我在文档firebase.google.com/go/v4/auth中寻找适当的API,并找到了UpdateUser函数。作为UpdateUser的参数的结构体UserToUpdate可以设置新的电子邮件地址、新密码和新的显示名称,但我找不到设置参数以使用户注销的方法。
我的问题
有没有一种方法可以通过Firebase Auth Go SDK注销特定的用户?
英文:
background of this question
I'm using firebase auth for user authentication on my app.
I realized that firebase doesn't have a log of user information changes, so I can't answer user questions about it.
So, I'm planning to move the feature of changing user account info (like email, display name, and password) from using the client-side firebase auth library to using server-side firebase auth SDK for the purpose of taking logs of these changes to use for user support. Also, I'd like to make logout a user who changes account info.
I've looked for the appropriate API on the document firebase.google.com/go/v4/auth and found UpdateUser function. The struct UserToUpdate which is a parameter of UpdateUser can set a new email address, new password and new display name, but I can't find to set the parameter to make a user logout.
my question
Is there a way to log out a specific user by firebase auth go SDK?
答案1
得分: 1
Firebase身份验证的客户端登录基于ID令牌,这些令牌在其内置过期时间之前有效(默认情况下:在生成后的一小时内有效)。由于没有服务器保留其生成的所有ID令牌的列表,因此也没有办法在此列表上将令牌标记为无效。
撤销用户访问权限的常见方法是:
- 撤销“刷新”令牌,这样他们就无法使用它生成新的ID令牌。
- 将用户的ID令牌添加到自我管理的已撤销ID令牌列表中。
- 从服务器端代码和安全规则中检测此列表中是否存在ID令牌。
- 可选择在客户端上检测刷新令牌的撤销。
您可以选择强制刷新客户端上的ID令牌/配置文件,以从服务器获取最新信息,而无需注销用户。
英文:
Firebase Authentication's client-side sign-in is based on ID tokens, which are valid until their built-in expiration (by default: an hour after they are minted). Since no server keeps a list of all the ID tokens it has minted, there is no way to mark a token as invalid on such a list either.
The common approach to revoke access for a user is to:
- Revoke the refresh token, so that they can no longer mint new ID tokens with it.
- Add the ID token(s) of the user to a self-managed list of revoked ID tokens.
- Detect the presence of an ID token in this list from your server-side code and security rules.
- Optionally detect the refresh token revocation on the client
Instead of logging the user out, you can also force-refresh their ID token/profile on the client to get the latest information from the server.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论