I am building a login system that depends on Facebook login plugin (https://developers.facebook.com/docs/facebook-login/web). Everything is going well with this easy to use plugin. The bad news is that: today, I noted that the Facebook changes its user IDs, and these changes can deceive your login system.
Explaining the process and the problem:
1- The user goes to your website and click Facebook login button to access to your website.
2- The plugin grabs the user's information from Facebook API, including the user Facebook ID.
3- Your script uses the grabbed info to check your database, looking for the Facebook ID in the users table.
4- If the Facebook ID exists, the system allows the user to login. If it does not exist, the system creates a new account for the user and login him/her to your website.
So, the same Facebook user might be registered more than one time as long as the Facebook changes the user's ID.
As I noted today: Sometimes, the Facebook gives its user an ID with 9 digits, and other times give the user an ID with 19 digits. If you used any of those IDs; it would redirect you to the same user's profile. For example: if the user's IDs are 999999999 and 1010101010101010101
https://facebook.com/999999999 and https://facebook.com/1010101010101010101 both URLs will lead you to same profile.
P.S. The script checks with the user's email, however the user has the choice not to supply his/her email address to your website.
I use API v2.. I didn't use the old version (v1.). So, I think this is not the issue of chronicle or app scoped IDs.
If you have any ideas that help in getting a fixed Facebook user ID, please let me know.
Thank you in advance
Related
Let’s say BIM360 admin has added my BIM360 app from BIM360 App Store to his/her BIM360 account, and gone through the provisioning steps.
After that, when user clicks ‘Open’ link (a sample shown in the screenshot), a page from my app will be opened.
In this page, I need to determine whether this particular BIM360 account already has a corresponding account in my app or not.
To clarify further, my app is a multi-tenant cloud-service, and each tenant/account is tied with a BIM360 account - not with individual BIM360 users. So, regardless of BIM360 user who logged into BIM360 page, I need to redirect him/her to the account corresponding to BIM360 account.
If no corresponding account in my app (which will be the case for first time access), I have to redirect user to 'sign up' page.
Question: how do I find the BIM360 Account ID when user opens my app via 'Open' link in BIM360 page?
One possible workaround (a hack, really) is to use ‘referrer’ in HTTP header (on my page) to grab the URL of BIM360 page, and scrape Account ID out of it.
What is the correct way to do this? Could you point me to a sample code?
Thanks
When the end-user opens your app you should ask to sign in with his/her Autodesk Account, which results in a 3-legged OAuth access token.
With that, your app can call GET Hubs, which returns the list of Hubs that user has access and your app also has access. As this includes all hubs, check for attribute.extension.type == hubs:autodesk.bim360:Account and the hub id will be the BIM 360 Account. You may also check the hub id with b. prefix.
Please note the Hub id has the b. prefix and you need to remove it to get the correct BIM 360 Account ID.
Finally, an end-user that comes to your app may have multiple BIM 360 Docs hubs provisioned to your app, e.g. a contractor that works with multiple projects, so consider that scenario.
Check this article for some other considerations.
EDIT
From comment (23/4/2018):
the workaround you suggested doesn't really solve the problem then. I need a way to figure out the BIM360 Account ID for the page where user clicked 'Open' link.
After the user clicks on "open", your app needs to ask for sign-in, which gives your app a 3-legged token. With that, call GET Hubs endpoint, filter hubs for BIM 360 Docs, if more than one, ask user to select the hub/account, then you have the account ID.
I am trying to create a login with facebook using javascript for a chrome extension that will return some data from the server.
I am currently able to login without issues with google and facebook. Google is returning the email address and an unique ID that only applies to my app so I can use that ID to login into my server together with the email address provided.
Facebook returns the real user ID and the email address, meaning that anyone that has access to facebook can find that ID and if they know the email address they will be able to login.
As I do not want to ask the user to login every time that they restart the browser or every few days, what is the best way to get a unique constant secure ID from facebook that is unique to my application?
Naturally if I make it unique in the extension it would not really be beneficial because anyone can read the extension code and then figure out how to get someone else unique ID from their user ID.
The authorization code that Facebook sends is not constant, so I would not be able to send it to the server to authenticate someone.
"Facebook returns the real user ID" - wrong, the api only returns an App Scoped ID. And no one except for the user himself will be able to login. Just use the App Scoped ID, that´s how you identify users in your App. Btw, user IDs are not really something you need to keep secret. Access Tokens are.
My project team and I are currently working on a Single Web Application project using Java Spark in the back-end and Javascript, HTML and CSS (with Bootstrap) in the front-end. We use MySQL as our DBMS.
We're trying to make a system to log a user on Reddit in to our site. We need Reddit to get a user's karma and not manage passwords and usernames ourselves.
We're using Reddit's OAuth API in order to ask for a token, and Reddit then redirects the user to our website again.
We've made a button on our website to log the user in.
What we're trying to achieve is:
The user clicks the log-in button.
The user gets redirected to the Reddit login page and needs to give permission to us to use their Reddit account with a few permissions.
The user accepts the request and then gets redirected to our website. The Reddit API sends a GET request to localhost/login and appends the state and Reddit token to the link (so the link becomes localhost/login?state=STATECODE&code=REDDITTOKEN).
In the back-end (Spark/Java), we catch that GET-request and extract the state and code. We then send the code to Reddit to get a JSON with the user's data (such as comment karma, link karma and username) using https://oauth.reddit.com/api/v1/me.
The back-end then checks if the username is already in our User table. If it is, the user already registered, and the user gets redirected to the mainpage and gets logged in. (We do log-ins by assigning session IDs to users in out User table.)
If, however, the usernameis not yet in our database, then the user gets redirected to the registration page/section of our website, and in some way, the username and karma-values are passed to this page.
The user then fills in the remaining details about their account (email, address, age, etc.) and then clicks on register. This then sends a POST-request to our server with all the details (username, comment karma, link karma, email, address, age, etc.) and puts that user in our Database. The user then gets logged into our website and gets redirected to our website.
The problems we are facing right now is
we don't know how we can pass the username, comment karma and link karma from our back-end to our front-end. We thought doing it with a cookie would do the trick, but this causes security-issues and just makes it more confusing for us.
Maybe there is a better way to handle this system. We would really appreciate suggestion for doing this in a better manner than this way. However, we have to deliver something working by Nov 10th.
Is there a way to pass values from Spark/Java to a webpage when registering someone?
I can share some bits of our code if wanted. Right now, our GitHub repository is private, however.
Your help is extremely appreciated. I might even buy you coffee.
Sincerely,
Jeroen Meijer.
I'm working on web app which is NOT a Facebook Application.
I want to get current logged user's ID (I'm not sure if this is the right expression, I mean facebook.com/userid ) or user's name using Javascript.
Please if you don't know how to do it or if you don't have any suggestion what should help me, don't comment , thanks.How can I do this?
You cannot get the details (facebook id etc.) of the currently logged-in facebook user without using an app.
To query for the current user, you'll have to query for the /me and that requires an active access token which you can only get when the user authorizes an app!
Is there a way, using the new Facebook API, to detect whether a user is logged in or not on facebook, without any relation to the facebook app? This should be all done in client-side javascript on a page on a website.
In more detail:
According to the facebook documentation, getLoginStatus will detect a user is logged in if "the user is logged in and connected to your application." On the other hand, it will report the user is logged out if "the user is either not logged into Facebook, or has not authorized your application."
To me, this implies that getLoginStatus will never work the first time a user uses your application, because the first time any user is using your application, he/she has not granted any permissions to your application.
Moreover, what specific permissions does the user have to grant the app for getLoginStatus to work if the user is logged in? I have checked this list of permissions (on the Facebook API documentation):
http://developers.facebook.com/docs/authentication/permissions/
and have seen no mention of any permission that relates to this sort of detection.
This my first time using the Facebook API and it is very frustrating. I have scoured the internet and it seems like the general consensus is that you simply cannot detect whether a user is logged in or out.
I have found that when a non facebook user accesses the page you can check the persons [age] from the signedRequest (this information does not need permission as far as I've tested) and it will have both a max and min property.
A logged in facebook user will only have a min property as that is their actual age. I believe this information is given in order to deliver content restricted by age limits.
A logged in facebook user who then gives access permissions to connect with your app will have a user id so you can detect that seperately too.
This gives 3 user states by taking information from the signed request:
Anonymous: Has max and min age properties
Facebook User: Has only a min age property
Facebook User (who gave permission): Has a user id
Remember that facebook could revoke this functionality at any time and I've really only tested this a little. Good luck.