Remove a user from firebase

Question

I am trying to remove a user programatically from my firebase. The method removeuser takes 2 arguments, email and password. Now email is not hard to find out since this is stored in the auth variable + I am adding it in my database when a user is created. However, how am I supposed to find out the password from the user?

When I create a user I do add the generated md5_hash information with this user in my database. However, I can not convert this value back to the real password.

I also obviously do not want to store the real password in the database since this is just asking for problems.

So I'm wondering, is there anything overly obvious I am missing here on how to remove a user programatically from the database, with his password? (Why do I actually even need his password to remove him?)

EDIT: To clarify, I am only allowing an admin to delete users, so he has a list of every user that has been created in my firebase. Having a user delete his own user account is still not so easy since (I presume) the firebase hashing algorithm is not public, so there's no way for me to check if he did input the correct password.

Answer 1

Firebase Simple Login is a service built on-top of Firebase Custom Login, and provides useful primitives for authenticating users via common means.

By design, Firebase Simple Login does not give you access to the users' passwords programmatically, as it only increases the risk that they are not handled or stored securely. Today, the only two methods that can be used to remove an email / password hash mapping is either via the client API using the email and password, or via the admin panel at https://<YOUR-FIREBASE>.firebaseio.com.

Keep in mind that when using email / password login, Firebase Simple Login simply creates a new mapping between an email address and a password hash, but does not store any information in your Firebase. Also note that there is no way to "blacklist" a user id, so if you remove the mapping, the user could re-create it.

If you want to ban / block users, a better approach would be to create a new list in Firebase of your "blacklisted" users, and then use security rules to ensure that that user is in the list (i.e. user is blocked if root.child('blocked-users').hasChild(auth.uid)).