Docs Menu

Docs HomeAtlas App Services

Delete or Prevent Users From Accessing an App

On this page

  • Delete a User
  • Delete a User in the SDK
  • Manually Delete a User
  • Delete a User with a Custom Function
  • Disable a User
  • Enable a User
  • Revoke a User's Sessions

You can completely remove a user from your application, including any metadata and authentication provider identities.

Tip

If you don't want to delete the user's account, you can disable their account to temporarily suspend their access.

You can give users the option to delete their own account from a client application when you use the Realm SDKs to delete users.

Note

App Services does not automatically delete any data in your linked MongoDB Atlas cluster that you have associated with a deleted user. For example, if your application allows users to create data that linked to a user by including their ID in an owner_id field, deleting the user object does not delete the user-created linked data. To remove all traces of a deleted user, you must manually delete or modify any such documents.

You can write a custom function to delete a user. You might want to do this if your SDK does not yet support the delete users API.

Create a function similar to our example below that uses Application Authentication. You might want to incorporate error handling in the event that the function does not successfully authenticate, or it cannot delete the calling user.

For this example function, we have created values and secrets for the adminApiPublicKey and adminApiPrivateKey. We would then add the Project and Application IDs to the apiUrl.

We can then call this function from the SDK. The example function below does not take any arguments, and deletes the user who calls the function.

Tip

If your app uses Email/Password Authentication, consider that you may want to delete pending users, which involves a second endpoint:

const apiUrl = "https://realm.mongodb.com/api/admin/v3.0/groups/{insert-your-project-id}/apps/{insert-your-app-id}";
exports = async function(){
// This function deletes the user who calls it. It gets this user's ID
// from the user in the function context. This is safer than accepting
// a passed-in user ID, as the user can never delete any other user's account.
const callersUserId = context.user.id
async function adminLogIn() {
const username = context.values.get("adminApiPublicKey");
const apiKey = context.values.get("adminApiPrivateKey");
const response = await context.http.post({
url: "https://realm.mongodb.com/api/admin/v3.0/auth/providers/mongodb-cloud/login",
body: {username, apiKey},
encodeBodyAsJSON: true,
});
const body = EJSON.parse(response.body.text());
return body.access_token;
}
const token = await adminLogIn();
async function deleteUser(_id) {
await context.http.delete({
url: `${apiUrl}/users/${_id}`,
headers: {"Authorization": [`Bearer ${token}`]}
});
return _id;
}
return deleteUser(callersUserId);
};

You can temporarily disable a user, which prevents the user from logging in and invalidates any of the user's existing access and refresh tokens. You can enable a disabled user to let them log in again.

You can enable a disabled user to let them log in again.

You can revoke all of a user's current sessions. This invalidates the sessions and prevents the user from making any requests on any device until they log in again.

←  Enable User MetadataAuthentication Providers →
Share Feedback
© 2023 MongoDB, Inc.

About

  • Careers
  • Investor Relations
  • Legal Notices
  • Privacy Notices
  • Security Information
  • Trust Center
© 2023 MongoDB, Inc.