Facebook Javascript SDK Autologin & Tokens - javascript

I am using the Facebook login as an authentication for my PhoneGap application - once a user logs in, their data is retrieved from my database to display information. I am not using the SDK for any other purpose.
I have the Facebook auto login working fine - it retrieves an authResponse and my Facebook information. Since the access token changes with each login, what can I use to store locally and in my database to authenticate the user on my server for future logins?
Here is a flow that I think could work...
User sees logs in screen and enters Facebook credentials
Facebook securely validates and returns user information & access token
The app uses localStorage to store user email and access token
For future autologin, the localStorage values are used as email/password
I feel like this cannot be the correct answer, however.

I figured out a solution - I was confused about storing passwords on my database to fetch user information. Rather, these are the correct steps:
Use Facebook SDK to handle the login and retrieve the authResponse
Update the user table in my database with the temporary access token and retrieve user's information
For every POST or GET the user wishes to perform, I will match the FB.getLoginStatus() results from the database's access token (the check will be done server side)
If the tokens match, perform requests. Otherwise, force the user to login again.

Related

How to store user data in browser more securely?

I'm working on a project where I'm verifying admin and user from the backend. I have a database and there is a collection called admins. I stored my admin's email there and when a user will log in if the user's email is available in the database it will return isAdmin true or else it will return false. so that's how I can give the admin special access. But the problem is I'm storing my user information in the local storage so every time when the user opens the browser I can get his info without login him. so I have to also store isAdmin true or false in the local storage. If anyone edits the local storage he can get access to the admin panel. I want to know how can I make it more secure or how can I store isAdmin more securely so that no one can edit it from the client-side?
so ideally you shouldn't really solve these issues on frontend side of application but on API (backend, db, whatever you use). Only this that should be somehow saved on frontend (client) is user's token and with every request to API you should include this token and backend should be responsible for authorisation of request.
Simple example:
user logs in to api
api responds with auth token - 'abcd1234'
client saves this token to local storage / cookie
in next calls you include this token to request
GET /all-users { headers: { Authorisation: 'abcd1234' } }
API reads this token, decides if owner of this token is authorised to access these data
It's not this simple in real life, but you should understand a little.
And now solution to your problem - i suggest you to do none of this, but for school project its okay i guess
store your role in some hash so user doesn't know what is under the hash and can't simply guess admin hash
use some UUID instead of role - basically same as 1.
store your role in some global variable - so this way users can't see them in localStorage or cookies -- but its on client so its accessible to everyone in source code

FB login steps clarification

I am integrating FB Login in my website. For this purpose I am using Javascript SDK. Here are the steps which I am trying to follow.
User clicks on FB Login option, user is shown with POP UP by FB to enter his credentials.
FB sends response which includes accessToken, expire time etc.
After this user will see registration form dedicated to my website filled with email and other basic entries. He has to just choose some username and then click on signup.
As soon as user clicks on signup his details will be stored into DB, his username will be kept in session and he is signed in now.
User logs-out. Now, user again clicks on FB Login, if there is email already present in DB I am making the user log into my website by putting his username in session.
Here, are my questions now.
Shall I also store Access Token for the user in my DB in step 3? If yes then what will be the best encryption medium to send it to server-side?
Also, is there a need to store access token in cookie/session?
If answer to my Q1 is yes then will I be able to use the access token stored in DB to validate user if he uses FB Login again?
As far as I know once access token expires Javascript SDK will generate new access token. So, if user logs in after a long time then this validation might not be applicable.
Shall I also store Access Token for the user in my DB in step 3? If yes then what will be the best encryption medium to send it to server-side?
No, if you are not planning to do any automated tasks for the user with your server. In this case you'd need to change the access token to a long-lived token, but that's another thread.
Also, is there a need to store access token in cookie/session?
No, Facebook's JS SDK does all the access token handling for you.
If answer to my Q1 is yes then will I be able to use the access token stored in DB to validate user if he uses FB Login again?
No. You can save the Facebook User ID to your database, which is more constant than the email. Email can change, user id does not. So you should compare the user ID.
And just as a side-note:
Facebook also has a server-side login flow that should be used to authenticate the user. If you just use JS SDK to authenticate the user, it would be relatively easy to log in as any user imaginable from the client.

Facebook login with Javascript & ASP.NET Web API

I'm having some trouble wrapping my head around Facebook login coupled with my api security-wise for a webapp I'm creating. What do I need to store in my database, ID, token, something hashed etc? My flow so far is as follows:
When a user visit my app they see a welcome text with a button saying "Login with Facebook".
They hit the Facebook-button, if the user do not exist a new row is created in the database. For now I'm storing the user's Facebook name, id and a hashed token with the combination of the two. And then store a cookie with the token.
If the user return later to visit the app, they get redirected to the app without going through the Facebook login, because the token is stored in the cookie, and the user is found in the database based on it.
If the user return to the app without a the cookie token. The user has to hit the login with Facebook-button again, but now the user exist in the database and based on the name and id, I can find the user and return the token for a cookie.
Step 4 however seem a bit unsecure. Based on the name and id I can find a token of a user and set it in my cookie, granted I know (or can find?) the name and the id of that user I want to exploit.
This is my flow. Am I approaching this wrong, do I have to use the Facebook SDK C# in my Web API for server-side validation regarding a access token of some sort?
Any tips, hints or pointers to another flow is very welcome aswell.
Here is my desired flow:

Embedding yammer feed skipping OAuth, using access token only

I have successfully authenticated user and I stored its access token in the database. I use it to call some Rest API from the server side. When user logs out, yammer forces logging in again to access embedded feeds.
Is it possible to authenticate (or impersonate) user automatically, using only its token via JavaScript to access embedded feeds?
I'm not going to call Rest API as described here, I just need to embed feed skipping yammer login page, using access token only.
If you have saved the OAUTH token of a user in your database then you can re-use that token to authenticate against Yammer even if the user has logged out of Yammer and logged back in, however I would advise against storing user OAUTH tokens because they do not expire.

Oauth login and registration with custom username, express.js

I use node.js+express.js stack, users can reigster/login with twitter and facebook, and also can register with my native registration form. I use everyauth to handle with Twee and Fb.
The question is:
Is there a simple solution to register users with third-party oauth services while allowing them to change it's username?
example:
User logins to site with twitter first time -> he gets form where he adds his CUSTOM USERNAME and email.
While he logins next time I need to check in db his CUSTOM USERNAME and not his twitter one.
Yes it is possible. On first login attempt you authenticate the user via twitter using the node-oauth module. Here's a tutorial. After the authentication process is done, twitter sends a unique ID in its results, you store that with oauth token and secret (if you want to) inside your DB. Also save these data in Session and show a form where you ask for the user to choose a username of his wish. Use that and store in DB.
Next time, when he tries to authenticate again, you just check against the unique ID stored in your database (not the username really).

Categories

Resources