I've encountered a strange behavior of the Firebase simple login with email/password: If I login with an existing user account I'm able to write to a Firebase ref (i.e. $root/list/$item). If not, I have no write access as expected (Firebase rules seem to be OK), BUT if a client is logged in, and I meanwhile delete a user from Firebase Forge (Auth page), the connected client has still write access to the Firebase ref! Is it by design or is it a bug? Thanks.

here are the rules:

{
  "rules": {
    ".read": true,
    "list": {
      "$item": {
        ".write": "auth != null && newData.child('author').val() == auth.id",
        ".validate": "newData.hasChildren(['author', 'content'])",
        "author": {
          ".validate": "newData.val() == auth.id"
        },
        "content": {
          ".validate": "newData.isString()"
        }
      }
    }
  }
}

Short answer: by design, or more accurately, not applicable in this case.

During auth, FirebaseSimpleLogin generates a token. Once the token is given to a client, it remains valid until it expires. Thus, when you delete the user account in simple login, this does not somehow go to the client's machine and remove the token. This is a pretty standard auth model, and the expiration length on the token (configurable in Forge) is the key constraint for security.

If you want to revoke logins immediately, then simple login is not the right tool for the job. You'll want to use custom login and generate your own tokens. There are some great discussions on revokable tokens, so I'll defer you to those, since that's outside the purview of your question.