I'm having some trouble wrapping my head around Facebook login coupled with my api security-wise for a webapp I'm creating. What do I need to store in my database, ID, token, something hashed etc? My flow so far is as follows:
When a user visit my app they see a welcome text with a button saying "Login with Facebook".
They hit the Facebook-button, if the user do not exist a new row is created in the database. For now I'm storing the user's Facebook name, id and a hashed token with the combination of the two. And then store a cookie with the token.
If the user return later to visit the app, they get redirected to the app without going through the Facebook login, because the token is stored in the cookie, and the user is found in the database based on it.
If the user return to the app without a the cookie token. The user has to hit the login with Facebook-button again, but now the user exist in the database and based on the name and id, I can find the user and return the token for a cookie.
Step 4 however seem a bit unsecure. Based on the name and id I can find a token of a user and set it in my cookie, granted I know (or can find?) the name and the id of that user I want to exploit.
This is my flow. Am I approaching this wrong, do I have to use the Facebook SDK C# in my Web API for server-side validation regarding a access token of some sort?
Any tips, hints or pointers to another flow is very welcome aswell.
Here is my desired flow:
Related
I am using the Facebook login as an authentication for my PhoneGap application - once a user logs in, their data is retrieved from my database to display information. I am not using the SDK for any other purpose.
I have the Facebook auto login working fine - it retrieves an authResponse and my Facebook information. Since the access token changes with each login, what can I use to store locally and in my database to authenticate the user on my server for future logins?
Here is a flow that I think could work...
User sees logs in screen and enters Facebook credentials
Facebook securely validates and returns user information & access token
The app uses localStorage to store user email and access token
For future autologin, the localStorage values are used as email/password
I feel like this cannot be the correct answer, however.
I figured out a solution - I was confused about storing passwords on my database to fetch user information. Rather, these are the correct steps:
Use Facebook SDK to handle the login and retrieve the authResponse
Update the user table in my database with the temporary access token and retrieve user's information
For every POST or GET the user wishes to perform, I will match the FB.getLoginStatus() results from the database's access token (the check will be done server side)
If the tokens match, perform requests. Otherwise, force the user to login again.
I am integrating FB Login in my website. For this purpose I am using Javascript SDK. Here are the steps which I am trying to follow.
User clicks on FB Login option, user is shown with POP UP by FB to enter his credentials.
FB sends response which includes accessToken, expire time etc.
After this user will see registration form dedicated to my website filled with email and other basic entries. He has to just choose some username and then click on signup.
As soon as user clicks on signup his details will be stored into DB, his username will be kept in session and he is signed in now.
User logs-out. Now, user again clicks on FB Login, if there is email already present in DB I am making the user log into my website by putting his username in session.
Here, are my questions now.
Shall I also store Access Token for the user in my DB in step 3? If yes then what will be the best encryption medium to send it to server-side?
Also, is there a need to store access token in cookie/session?
If answer to my Q1 is yes then will I be able to use the access token stored in DB to validate user if he uses FB Login again?
As far as I know once access token expires Javascript SDK will generate new access token. So, if user logs in after a long time then this validation might not be applicable.
Shall I also store Access Token for the user in my DB in step 3? If yes then what will be the best encryption medium to send it to server-side?
No, if you are not planning to do any automated tasks for the user with your server. In this case you'd need to change the access token to a long-lived token, but that's another thread.
Also, is there a need to store access token in cookie/session?
No, Facebook's JS SDK does all the access token handling for you.
If answer to my Q1 is yes then will I be able to use the access token stored in DB to validate user if he uses FB Login again?
No. You can save the Facebook User ID to your database, which is more constant than the email. Email can change, user id does not. So you should compare the user ID.
And just as a side-note:
Facebook also has a server-side login flow that should be used to authenticate the user. If you just use JS SDK to authenticate the user, it would be relatively easy to log in as any user imaginable from the client.
I use node.js+express.js stack, users can reigster/login with twitter and facebook, and also can register with my native registration form. I use everyauth to handle with Twee and Fb.
The question is:
Is there a simple solution to register users with third-party oauth services while allowing them to change it's username?
example:
User logins to site with twitter first time -> he gets form where he adds his CUSTOM USERNAME and email.
While he logins next time I need to check in db his CUSTOM USERNAME and not his twitter one.
Yes it is possible. On first login attempt you authenticate the user via twitter using the node-oauth module. Here's a tutorial. After the authentication process is done, twitter sends a unique ID in its results, you store that with oauth token and secret (if you want to) inside your DB. Also save these data in Session and show a form where you ask for the user to choose a username of his wish. Use that and store in DB.
Next time, when he tries to authenticate again, you just check against the unique ID stored in your database (not the username really).
I have client-side FB connect working. In my example you just click login with Facebook and then a popup appears, they login and then are returned to the app, where I display their name and pic.
My questions are around how to make use of this connection.
If they are using fb to log in would I create an account with this
information the first time? Then supplement this info with app specific stuff? Then grab that account every time they login? How should I reference the existing account?
Can I only query the API for data from the client, or can I store some info on
the server that lets me query their account from the server?
How would something like finding out if two people are friends work?
Would this be done on the server? What does the query look like?
How long do sessions last and how is it decided? Will the login persist across multiple visits?
Can I make use of the login when the user isn't currently active in the app? Query for a status or make a request on their account in between visits?
Any help figuring out how this works would be spectacular. Thanks very much for the help!
If they are using fb to log in would I create an account with this information the first time? Then supplement this info with app specific stuff? Then grab that account every time they login? How should I reference the existing account?
Yes, and you'd use their Facebook ID to find if they have an existing account.
Can I only query the API for data from the client, or can I store some info on
the server that lets me query their account from the server?
Store the access token. If you need long-lasting access (the default token expires after an hour or two) you need to request offline_access extended permissions.
How would something like finding out if two people are friends work? Would this be done on the server? What does the query look like?
Fetch a user's friends list from https://graph.facebook.com/me/friends and see if the friend's Facebook ID is in there.
How long do sessions last and how is it decided? Will the login persist across multiple visits?
When the user authorizes your app via OAuth, the expiration time in seconds is appended to the URL.
Can I make use of the login when the user isn't currently active in the app? Query for a status or make a request on their account in between visits?
Yes, until the token expires. See above regarding offline_access.
I want to implement something similar to what Digg has done.
When the user logs in for the first time, I want it to force them to create an account on my site.
More importantly I want to know how to log a user into my site when they login with facebook connect. If they login with facebook connect, they still haven't provided me the password to their account on my site, so I can't use username/password to log them into my site. How do they do this on Digg or sites similar to this?
Facebook's process flow can definitely be a bit confusing. Take a step back from the details and the API, and look at the overall flow here:
Facebook Connect will tell you that a user is logged into Facebook, and give you their Facebook ID. You can validate that ID against Facebook using Facebook Connect to make sure it is properly logged in. Once this is done, you don't need a user name and password. As long as you trust that Facebook has authenticated the person properly, they are the only ones that can come to your site using that Facebook ID. That is enough information to start an authenticated session based around a local account that is associated with that ID.
The process you should follow is like this:
User logs in to your site with
Facebook Connect for the first time
You notice that you don't have a local account associated with that
Facebook ID, and prompt them to
enter local account information
You save that information along with their Facebook ID
The next time you see that Facebook ID (and validate that it is
logged into Facebook using the
Facebook API), you can start up a
local session using the associated
account.
Basically you end up with two separate methods of authentication: a Facebook Connect ID check, or the regular username/password login on your site. Either one should have the end result of starting a local authenticated session.
Hope that helps.