问题
I am using Firebase Auth Rest API. I have code written in PHP to add the user to the database and firebase authentication. The information I store is kind, idToken, email, refreshToken, expiresIn, localId. It all works great!
Now when I am trying to delete the user from database it works fine but does not delete the user from the firebase authentication. Please find the code below for sign up and deleting the user.
The errors I get is either CREDENTIALS_TOO_OLD_LOGIN_AGAIN (or) INVALID_ID_TOKEN.
FIREBASE_KEY is my firebase key and in the $data I am passing the user idToken
/*
* User Sign Up
*/
function user_signup($data){
$response = true;
$data = json_encode($data);
$url = "https://www.googleapis.com/identitytoolkit/v3/relyingparty/signupNewUser?key=".FIREBASE_KEY;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/json'));
$jsonResponse = curl_exec($ch);
if(curl_errno($ch))
{
$response = false;
}
curl_close($ch);
return $jsonResponse;
}
/*
* User Delete
*/
/* function user_delete($data){
$response = true;
$data = json_encode($data);
$url = "https://www.googleapis.com/identitytoolkit/v3/relyingparty/deleteAccount?key=".FIREBASE_KEY;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/json'));
$jsonResponse = curl_exec($ch);
if(curl_errno($ch))
{
$response = false;
}
curl_close($ch);
return $jsonResponse;
} */
回答1:
There are two ways to interact with the Firebase REST APIs:
- By authenticating your requests with a user's ID token, with the same permissions and limitations as if they would interact with your application on their own
- By authenticating with the credentials of a Service Account, which gives you full access to your application, without any limitations.
To delete a user, you can use both methods, but when using a user's ID token, you have to authenticate as the user (effectively impersonating them) before being able to perform any actions on behalf of said user.
The better solution would be to use an Admin SDK to perform that task. By authenticating your requests to the Firebase REST APIs with Service Account Credentials as described in Add the Firebase Admin SDK to Your Server, you will be able to perform administrative tasks (like deleting a user from the authentication database) more easily.
Here are the steps to get started with Service Account based authentication:
- Generate Service Account credentials on https://console.firebase.google.com/project/_/settings/serviceaccounts/adminsdk
- Use the Google Auth Library for PHP to be able to make authenticated calls the Google/Firebase APIs https://github.com/googleapis/google-auth-library-php#call-the-apis
- When you have created an HTTP client with the help of the Auth library, you can call this API endpoint to delete the user
$client->post('https://www.googleapis.com/identitytoolkit/v3/relyingparty/deleteAccount', [
'json' => [
'localId' => 'uid-of-user-to-delete'
]
]);
The localId parameter is not documented on https://firebase.google.com/docs/reference/rest/auth/#section-delete-account, but it's used from within the official admin SDK and works.
Using an Admin SDK (https://firebase.google.com/docs/admin/setup#initialize_the_sdk) would be the recommended way to perform administrative tasks like this. Official SDKs exist for Node.js, Java, Python, Go and C# - I maintain an unofficial one for PHP that you can find at https://github.com/kreait/firebase-php. With it, you could perform the same task like this:
$serviceAccount = ServiceAccount::fromJsonFile('service_account.json');
$firebase = (new Factory())
->withServiceAccount($serviceAccount)
->create();
$firebase->getAuth()->deleteUser('uid-of-user-to-delete');
On a side note:
I would consider storing a user's ID token in a separate database a security risk: if your database gets compromised, attackers gain access to your user's ID tokens and can use those who aren't expired yet to access your application.
The recommended flow to pass a user from your frontend (web, mobile) to your backend (server) is:
- Use a Firebase Client SDK in your frontend, e.g. in your web application
- Let the user sign in to Firebase in the frontend via the client SDK, and when a user successfully signed in, retrieve the ID token on your client, send it to your backend and verify the ID token on your backend.
- Once you've verified the ID token, you can extract the Firebase ID of your user from the ID token and save it to your database, e.g. in a table that maps your local user id to the Firebase User ID without the need to store their full ID token (= full credentials)
来源:https://stackoverflow.com/questions/55326844/is-there-any-way-to-delete-the-user-from-the-firebase-authentication