I'm working on an angular app and I use Firebase to authenticate my users. I would like to know how I could prevent my users to give their account to other people. Also I would like to prevent people to use the same account to login from different devices at the same time. I found some very good tutorials to build a presence system, but these system doesn't prevent the same account to be used by many different people on several devices. I have been able to check if a user is trying tu use an account that is already in use (online) but I can't manage to log out one of those users (using an alreaydy online account..). I tried to call auth.signout() inside the signInwithemailAndPassword() method but it doesn't work, I don't succeed in logout the users. Thank you for your help. What I would need is a snippet because theorically, everything is very simple.
Since you didn't state what language you're using I'm just going to use Swift, but the principles behind what I laid out here are the same for any language.
Take a look at this question. It appears that Firebase does not directly support what you are looking for. You can however, do something like this:
Create a tree in your database that stores a boolean value for user signins.
SignedIn: {
uid1: {
"signedIn": true
}
uid2: {
"signedIn": false
}
.....
}
I'm assuming some where after authentication you change the screen. You'll now want to perform an additional query before doing that. If the user is already signed in you can display an alert, otherwise you can just continue as you always did.
func alreadySignedIn() {
if let uid = Auth.auth().currentUser?.uid {
Database.database().reference().child("SignedIn").child(uid).observeSingleEvent(of: .value, with: { snap in
if let dict = snap.value as? [String: Any] {
if let signedIn = dict["signedIn"] as? Bool {
if signedIn {
// display an alert telling the user only one device can use
// there account at a time
}
else {
// change the screen like normal
}
}
}
})
}
}
Of course this just prevents the account from being "shared" at the same time. You can make a stricter guideline if you only allow sign in based on a device id. For example you could get the device id and only allow sign in on that device. You'd have to allow users to update this when they get a new device, but if you really want to lock your accounts down this might be a better option.