I currently have a website with standard email+password mysql login and I have implemented Facebook Login.
I would like to keep both living together, however I have a little bit of confusion about how I should do it correctly.
In the standard implementation I check if user and pwd are correct then I log the user.
In Facebook login JS after I log the user I have id and email, how can I link it to the existing standard account safely?
After the JS login I could send an ajax request to mysql (a php script) and see if the email+id couple exists, but this way anyone knowing the email and the id of the fb account could do it through a post request and it wouldn't be safe.
What would be the right way to do it?
Thanks for any help!
Related
I am building a basic social media web application and I would like my only login point to be via facebook login. After doing a fare amount of research, I have seen multiple third party authorization frameworks that plug in with facebook, but I was wondering if there were any opinions on what the best foot forward would be.
Additionally, how would I go about still being able to use sessions/cookies within Django if I use fb login?
All answers are appreciated!
You can use SocialAuth (https://github.com/python-social-auth/social-app-django), this app allows you to let users log in via many common SocialMedia-accounts, e.g. facebook. Upon login, the app will create a user in your database, which you can then use as if the user logged in with a local account. Therefore, the session will still be handled by django, fb only sends you some information about the user (e.g. first- and lastname, email, etc. [configurable in your settings.py])
I have an application allowing users to sign in using their Facebook and Twitter accounts. I only need a very basic information like their email address and full name. Everything works fine and as planned.
Accounts.ui.config({
requestPermissions: {
facebook: ['email'],
github: ['user:email']
}
});
But, now I need to implement a feature posting to a Facebook page and Twitter on behalf of the admin users only. So, I need to get additional permissions from specific users only.
Admin users are eligible to manage our page at Facebook. The app needs to request additional permissions to be able to post to the page. I wan't to keep those basic permissions for regular users.
How can I accomplish that?
One way you can do is,
If you know that logged in user is Admin, put the re-authenticate button in user-dashboard (or somewhere which makes sense) that will do authentication user of user for whatever permissions as required by application.
This will basically do, oauth with social service like usual and upon completion you will get aceess code and against this code get the re-newed access token from social service. (This is normal , how you basically do the oauth manually) Now, use this access token to post to social services.
For this, you will need to use node modules such as for facebook -fb_graph , for twitter- twiiter
Hope this helps
I'm building up an app that should allow the user to sign up / sign in with Facebook and then he should be able to login (always via Facebook) to the "main" website
To be honest it's a bit more complicated than this. That's because I'm using django-tastypie and django-allauth in the main website to allow sign up, login, and browsing of our API
Basically I want to make the mobile app user browse the tastypie API (accessible only if logged and if you're an user in the main website) and grant him the rights to add rows (like orders)
Here's what I have
A phonegap app with a working Facebook login (I'm working on that right now)
A website with django-allauth and django-tastypie that makes me register as a new user using the allauth's Facebook login
No trace on the main website if the mobile user is doing a sign up via Facebook (this is the problem)
I'm basically confused how I should work with access tokens and how to pass further parameters (I don't need only the Facebook infos to complete the registration, but some custom fields too)
Anyone got experiences on this or would like to expose his workflow?
One common way of doing things is to leave all registration related functionality up to the website. In your phonegap app you can simply point the user to /accounts/login/ using the In-App-Browser (IAB). The IAB has events like loadstart and exit that you should monitor. A simple way of monitoring whether or not the user is successfully logged in is to have him redirected to a specific url, say /accounts/login/complete/, at the end of the login. If you attach a token to that return url (as in /accounts/login/complete/?token=123) you will be able to parse that token in your app. You could simply use the session ID as a token.
A more secure way is to use the django-oauth2-provider app and actually implement a proper oauth handshake. Handling that is almost the same. Using IAB open /oauth/authenticate/, you will be asked to login using allauth, then an oauth2 confirmation dialog appears, after which the oauth grant code is passed to a success URL. You can pick that code up from phonegap and using AJAX calls from within the phonegap app you can fetch the oauth access token. Btw, django-rest-framework has builtin support for django-oauth2-provider (don't know about tastypie).
A completely different approach is to implement a Facebook login in your mobile app, completely independent from the web site. Once logged in you'll be handed over a Facebook access token. Now, you can send this token over to the web site. Given the token, the website can fetch the user (https://graph.facebook.com/me?access_token=...), check whether or not that user is already known, if so return an appropriate token/session for that user, if not, create the user account and also return a token.
I'm integrating Facebook into my application. A user in my app can either be authenticated via Facebook, or be authenticated by their account (email address + password) with the app. I have a page in my app where I pull Facebook friends list using FB Javascript sdk. I log into the app using Facebook authentication then navigate to the page and can see my friends list. I can then logout of app using FB.logout then login to the app using a different user account (email + password) then navigate to the page and still see my friends list. I've logged into the app using a non-facebook authenticated login. It's not a caching issue as I have no caching set up in my dev environment. I'm new to Facebook. Any ideas on why the friends page is still retrieving friends list? Thank you!
I doubt the browser is caching the friend list, unless your loading the friends list after the page is loaded via ajax. But even then it would be rare to see such a thing.
I've never used the js sdk. But i know with the PHP one it automatically stores the fb token in the session. However ive just had a thought, if your using the JS SDK, that probably means that your not using tokens like the PHP sdk does. I would guess that its because facebook is detecting the user as logged in ?
Try logging out of facebook after you logout of your own site, then login with a different account. If that works, then you need to google around and get the code for logging them out of facebook. I believe the old trick was to just header redirect them to the facebook logout url, but there may be a nicer way of doing this.
Having said that, this would log them out of facebook, so you might annoy some people. How often can you see people logging out to log in with a different account?
I have a website which users can sign up to using Facebook Connect (with the new OAuth 2.0 stuff). Now when a user logs out of Facebook they remain logged-in on my site.
I'm not using the JavaScript SDK as I don't like the "magic behind the curtains". So what should I do when a user logs out of Facebook? Should I care at all? I get the feeling I should try to catch this somehow and log them out of my site as well.
I'm using Django with a custom authentication backend for this.
Don't do anything. You are using facebook as means of authentication. The fact that the user logged out of facebook means nothing for that matter - He's stil the same user.
Do the users think of your site as a part of facebook? I guess not (assuming its not a facebook app, just a login via facebook). Then it would be surprising and counterintuitive from the user's perspective to find he's also logged out of your site when he only logged out of facebook.