I am integrating FB Login in my website. For this purpose I am using Javascript SDK. Here are the steps which I am trying to follow.
User clicks on FB Login option, user is shown with POP UP by FB to enter his credentials.
FB sends response which includes accessToken, expire time etc.
After this user will see registration form dedicated to my website filled with email and other basic entries. He has to just choose some username and then click on signup.
As soon as user clicks on signup his details will be stored into DB, his username will be kept in session and he is signed in now.
User logs-out. Now, user again clicks on FB Login, if there is email already present in DB I am making the user log into my website by putting his username in session.
Here, are my questions now.
Shall I also store Access Token for the user in my DB in step 3? If yes then what will be the best encryption medium to send it to server-side?
Also, is there a need to store access token in cookie/session?
If answer to my Q1 is yes then will I be able to use the access token stored in DB to validate user if he uses FB Login again?
As far as I know once access token expires Javascript SDK will generate new access token. So, if user logs in after a long time then this validation might not be applicable.
Shall I also store Access Token for the user in my DB in step 3? If yes then what will be the best encryption medium to send it to server-side?
No, if you are not planning to do any automated tasks for the user with your server. In this case you'd need to change the access token to a long-lived token, but that's another thread.
Also, is there a need to store access token in cookie/session?
No, Facebook's JS SDK does all the access token handling for you.
If answer to my Q1 is yes then will I be able to use the access token stored in DB to validate user if he uses FB Login again?
No. You can save the Facebook User ID to your database, which is more constant than the email. Email can change, user id does not. So you should compare the user ID.
And just as a side-note:
Facebook also has a server-side login flow that should be used to authenticate the user. If you just use JS SDK to authenticate the user, it would be relatively easy to log in as any user imaginable from the client.
Related
I am creating a "masquerade" admin log in system where admins can log into different user's accounts.
I am using a passport/express authentication system. I am trying to figure out a way to sign into another user's account while they are signed in as an admin.
My current strategy is to modify the req.user object and switch the password and username on the user object, then forward the modified user object to the login function in order to sign in as a different user. Is this possible or should I find a different way about this?
Thank you!
I assume you are using express-session.When you are serializing user, what happens is that express-session put your user info into your session.You can change the info that you re putting in your session. You might add something like "currentAccount" if the user is admin. If admin changes to a user account, you may also create a new session with a new account or you might looking for a cookie/session manupilation library and change info in the current session. With deserializing, you can reach session info in your req.session.passport and your currentAccount info will be also in req.session.passport
I am creating a login for my chrome extension where I am going to be using the firebase email and password.
I am going to be putting the create User firebase code on my website and when someone can enter in there email and the script will create a random set of digits and set that as the password. It will then email that password to the user and the user uses the email he entered and the random digit password he received via email to login.
My question is If a user signs up and then logs in with his email and password. Whats to stop him from giving that email and password to his friend and he also logs in. I want to control the amount of users I allow within my chrome extension and only want the person who logged in to use the chrome extension (I want so the login can only be used once) Is this possible for firebase or not?
Also If anyone knows a simpler method than that I described above with sending the email please let me know becuase to do that above I have to create something that sends an email and creates the password.
I would also like to know if firebase has something where I can set a date on a user and after that date passes the user is logged out and has to register again.
But my main question is that if a user where to register if he has the ability to share the login with his friend or if only he can use it.
I really appreciate your reply and help on my issue in advance Thanks A lot.
You'll likely have to do this from the server side (e.g. in a Cloud Function).
One option would be to use the session management features in the auth admin SDK: https://firebase.google.com/docs/auth/admin/manage-sessions - if you report back from the extension with the logged in user, you can revoke access for users who are seen in too many places at the same time. This limit might not be 1 - you may want to allow your users to log in on multiple machines at once.
For even more control, look at the option for managing your own session cookie: https://firebase.google.com/docs/auth/admin/manage-cookies - this allows you to set your own expiry and control the logged in state more granularly.
I am using the Facebook login as an authentication for my PhoneGap application - once a user logs in, their data is retrieved from my database to display information. I am not using the SDK for any other purpose.
I have the Facebook auto login working fine - it retrieves an authResponse and my Facebook information. Since the access token changes with each login, what can I use to store locally and in my database to authenticate the user on my server for future logins?
Here is a flow that I think could work...
User sees logs in screen and enters Facebook credentials
Facebook securely validates and returns user information & access token
The app uses localStorage to store user email and access token
For future autologin, the localStorage values are used as email/password
I feel like this cannot be the correct answer, however.
I figured out a solution - I was confused about storing passwords on my database to fetch user information. Rather, these are the correct steps:
Use Facebook SDK to handle the login and retrieve the authResponse
Update the user table in my database with the temporary access token and retrieve user's information
For every POST or GET the user wishes to perform, I will match the FB.getLoginStatus() results from the database's access token (the check will be done server side)
If the tokens match, perform requests. Otherwise, force the user to login again.
I'm having some trouble wrapping my head around Facebook login coupled with my api security-wise for a webapp I'm creating. What do I need to store in my database, ID, token, something hashed etc? My flow so far is as follows:
When a user visit my app they see a welcome text with a button saying "Login with Facebook".
They hit the Facebook-button, if the user do not exist a new row is created in the database. For now I'm storing the user's Facebook name, id and a hashed token with the combination of the two. And then store a cookie with the token.
If the user return later to visit the app, they get redirected to the app without going through the Facebook login, because the token is stored in the cookie, and the user is found in the database based on it.
If the user return to the app without a the cookie token. The user has to hit the login with Facebook-button again, but now the user exist in the database and based on the name and id, I can find the user and return the token for a cookie.
Step 4 however seem a bit unsecure. Based on the name and id I can find a token of a user and set it in my cookie, granted I know (or can find?) the name and the id of that user I want to exploit.
This is my flow. Am I approaching this wrong, do I have to use the Facebook SDK C# in my Web API for server-side validation regarding a access token of some sort?
Any tips, hints or pointers to another flow is very welcome aswell.
Here is my desired flow:
I use node.js+express.js stack, users can reigster/login with twitter and facebook, and also can register with my native registration form. I use everyauth to handle with Twee and Fb.
The question is:
Is there a simple solution to register users with third-party oauth services while allowing them to change it's username?
example:
User logins to site with twitter first time -> he gets form where he adds his CUSTOM USERNAME and email.
While he logins next time I need to check in db his CUSTOM USERNAME and not his twitter one.
Yes it is possible. On first login attempt you authenticate the user via twitter using the node-oauth module. Here's a tutorial. After the authentication process is done, twitter sends a unique ID in its results, you store that with oauth token and secret (if you want to) inside your DB. Also save these data in Session and show a form where you ask for the user to choose a username of his wish. Use that and store in DB.
Next time, when he tries to authenticate again, you just check against the unique ID stored in your database (not the username really).