Authenticated as a user after logging out and reinstalling
See original GitHub issue- Android device: Moto E3
- Android OS version: 6.0
- Google Play Services version: 10.2.1
- Firebase/Play Services SDK version: 10.2.1
- FirebaseUI version: 1.2.0
The problem:
Steps to reproduce:
- On logging in with facebook
- logging out with the following (verifying it works and CompleteListener is called)
AuthUI.getInstance()
.signOut(this)
.addOnCompleteListener(task -> {
if (task.isSuccessful()) {
finish();
} else {
Toast.makeText(this, R.string.sign_out_failed, Toast.LENGTH_LONG).show();
}
});
- Uninstalling and reinstalling
- On launch, the first thing I do is call
FirebaseAuth.getInstance().getCurrentUser()
which returns the user that I had logged out before reinstalling - Additionally: If I retry these steps, and instead of uninstall/reinstall in step 3, I just kill the app and relaunch, I’m getting null for
FirebaseAuth.getInstance().getCurrentUser()
NOTE: I’m also allowing backup in my manifest with android:allowBackup="true"
- It appears to not happen if I set
android:allowBackup="false"
although I haven’t tested this extensively enough to be 100%.
Expected Results:
- After logging out, having no other way to get the current user without first logging back in
Issue Analytics
- State:
- Created 6 years ago
- Comments:10 (3 by maintainers)
Top Results From Across the Web
user keeps logged in after uninstalling and installing the app
Clear the browser's cookies; notice that then on app re-install/login the user will be required to authenticate; Call the WebAuthProvider.logout ...
Read more >FirebaseAuth.getCurrentUser() after logout, deleting and ...
I complete login with phoneNumber, complete logout, delete and install app again and FirebaseAuth.getCurrentUser() give me this user again. How ...
Read more >Logging Out an Authenticated User | platformOS Docs
This guide will help you create an authentication form to log out authenticated users.
Read more >Articles Why am I unable to log in to Windows after installing ...
Log in to the Duo Admin Panel and make sure that you've added a user with a username that matches the Windows username....
Read more >Azure AD Connect: Troubleshoot Pass-through Authentication
For errors related to the Authentication Agent, open up the Event Viewer application on the server and check under Application and Service Logs\ ......
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
@ahaverty so I can’t say I know what Facebook is storing locally on the phone, but I can tell you what Firebase is storing.
Firebase keeps an authentication token in your app’s local storage. This identifies the user but does not give them access to actually do anything unless it’s refreshed every hour. The Firebase SDKs that use this token (like realtime database) seamlessly handle this refresh for you which is why you don’t have to think about it. If you attach an
AuthStateListener
in your app you’ll see that you get a new event every hour as the token changes.So there’s no security risk of restoring this token, since auto backup is linked to the user’s google account anyway. This would be different if we were storing, say, a Google Sign In access_token which could be taken out of context and used to impersonate the user.
@ahaverty Noooooooooooooo! 😁 Please don’t disable auto backup; this “bug” is a feature that’s great UX. The idea is that if a user is changing devices or reinstalling your app for one reason or another, they can get right back to whatever they were doing instead of having to go through some long and annoying setup. Hope this swayed your opinion a little! 😁