I'd like to simplify the authentication workflow in my Firebase app, and let users connect without password:
With third party OAuth providers: Facebook, Google, etc.
or
With email
If the later, the user would just fill in their address, receive a URL, and instantly get logged in without having to type/remember a password.
Whenever they logout, or, their session times out, they would enter their email again, and receive a new link to start a new session.
How to do that with Firebase?
I feel like it's not possible on the client, so what would be the best server side routine to achieve that workflow?
Finally, after taking some time to figure this out, I quickly realised that the email verification process cannot be used to solve this: the function to get this email sent can only be called by already logged-in users (which makes perfect sense). Hence it cannot be used to sign-in.
I ended up using this workflow with Firebase custom authentication :
CLIENT User asks to login, he's asked his email address, and told he will receive a link to complete log in upon form submission.
SERVER Receives the email address. Finds or creates user id belonging to that user, creates a custom token with this uid and sends an authenticated link by email (for example: http://myapp.com/?token=XYZ)
CLIENT User comes back in the app by clicking on that link, and the app can use the token parameter to immediately log-in the user using firebase.auth().signInWithCustomToken(token).
Look, ma, no passwud!
For Email part you can :-
Use custom passwords from Front-End eg:- timestamp's or some random words+timeStamp . And store that timeStamp in the users's Database for future reference for session expiration.
For sending a link for starting a session you can use the verification email to send a link inside and modulate the contents of the mail as per your needs.
For knowing when your session expire's:-
Just retrieve the timeStamp lets say that is timeKeyRetrieved
Check how much time has passed since the timeStamp
PS:- For checking wether user session has expired during the user is online. You will have to use timer. And whenever your users gets online just retrieve the timeStamp in AppDelegate methods or viewWillAppear:
Related
I am trying to create a login with facebook using javascript for a chrome extension that will return some data from the server.
I am currently able to login without issues with google and facebook. Google is returning the email address and an unique ID that only applies to my app so I can use that ID to login into my server together with the email address provided.
Facebook returns the real user ID and the email address, meaning that anyone that has access to facebook can find that ID and if they know the email address they will be able to login.
As I do not want to ask the user to login every time that they restart the browser or every few days, what is the best way to get a unique constant secure ID from facebook that is unique to my application?
Naturally if I make it unique in the extension it would not really be beneficial because anyone can read the extension code and then figure out how to get someone else unique ID from their user ID.
The authorization code that Facebook sends is not constant, so I would not be able to send it to the server to authenticate someone.
"Facebook returns the real user ID" - wrong, the api only returns an App Scoped ID. And no one except for the user himself will be able to login. Just use the App Scoped ID, that´s how you identify users in your App. Btw, user IDs are not really something you need to keep secret. Access Tokens are.
I'm working on a quite simple Node.js server. The users authenticate via a plain username/password form and the server - after checking a db - grants or refuses the access to the other pages.
To keep track of what each user's doing I'm going to generate a UUID to send on login. When a client asks or sends anything to the server it will include this UUID so the server will know who is the user.
The questions are about the life-cycle of these UUIDs:
when I must remove a UUID from my local array? I.e. when the user "disconnects", I guess if it explicitely logout or after a timeout of inactivity. I don't want to disconnect if he puts in standby his smartphone for a while.
if the user reloads the page when his session is still alive, I want to avoid a new login: I need a way to understand the connection is from the same user. How would you achieve this?
What I would do is use JWT. I would ask user to login using username and password and then issue them a JWT with payload containing the user's identifier (username or id) and with a set expiry which represents the max inactivity time allowed (depends on your business logic), say 5hrs. I can also contain last logout date etc.
Now user sends this JWT in his header whenever he's making requests to your services, you can decode that token and check if user logged out (tokens last logout time is less than the user's logout time).
You can keep track of various things.
There may be other ways also, using sessions.
I would like to use Apigility and Jquery as a login strategy into my application. I am struggling to understand how to do this.
My setup is as follows:
The client and the Login api are trusted as they are both part of my application.
What I am struggling to understand is the process of taking the username and password from my form, processing it in JQuery, then using the Apigility authorization strategy to ensure that the request is genuine and to pass it securely onto the required login end point.
I have a standard login form:
The user enters a username and password and clicks "login".
Jquery validates the data and now I need to send the users credentials to the Login End Point... How to do this with ApiGility, I am not sure...
I have been reading the documentation here: https://apigility.org/documentation/auth/authentication-oauth2 and I don't quite get it.
This is what I have setup with ApiGility.
I have created a Login end point in ApiGility
This end point can only accept a Post request.
The end point requires authorization to be accessed.
Now how to interact with this?
As I am using a client side script (Even though it is my own app), I cant use traditional Client id and password as there is no way to secure this information in JQuery without exposing it to the world.
In its place, I should use an implicit grant, i.e. a client identity, with no password.
To get an implicit grant, I need to re-direct the user to Apigilities: http://example.com/oauth/authorize?response_type=token&client_id=testclient2&redirect_uri=/oauth/receivecode&state=1 end point, ensuring I include the user name and password in the post request.
When a user is re-directed, they must click on a yes or a no button, if yes, a token is created and a session is generated (storing the customers username and password) and returned. This token I store on the customers machine, using a session.
Now that I have a token, I use this token to gain access to my secure Login End Point.
Once I have access to the Login Controller, I now use the token to get the username and password from the session.
Finally - check the credentials and return: true / false etc.
How close or far off am I?
1. Yes you can, as long as you use a properly configured (secure) https connection. By using a security certificate you will ensure encryption of the data being sent and received by the client and it will be unreadable when intercepted.
2. When using implicit grant you will still need to authenticate your client with a username and password. Check the workflow here in this OAuth documentation.
My idea is you are missing the fact that you need a secure connection. I would suggest setting up https on your server and then follow the Apigility OAuth documentation. It seems quite complete and I think you should be able to manage by following their instructions.
I need to access status updates of an artist page to display as feed on my website.
So everytime a user accesses the artist' space on my website, he sees the artist's status feed in a tab.
Do I need to ask for the artist's permission every session? That would not be practical I guess.
Thanks
You only need to ask permission once, when the user logins for the first time.
If you use the client side JS SDK, that is really all you need to worry about. The access_token will be automatically refreshed by the SDK whenever needed. The user only needs to be logged in to facebook, no action is required.
You will most likely be using the JS SDK.
So unless you use a manual server side oauth flow, see below:
If you use a manual server side oauth flow you usually get a short-term access_token that is valid for 2 hours after the user logs in for the first time.
You can request a long term access_token by sending a request to oauth/access_token with some additional parameters:
See here:
https://developers.facebook.com/docs/facebook-login/access-tokens#extending
This long lived access_token is valid indefinitely, but may expire at ANY moment.
Reasons could be:
user password change
user logout
use de-authorizes app
...
So you are to just reuse the access_token whenever you want to interact with the users facebook account ( you don't have to ask them to log in again).
But as soon as your access_token becomes invalid, you have to update the acces_token by sending the user trough the oauth flow again.
I was looking at the facebook tutorial here
I am having some generic questions about integration and data management of user profiles (slightly confused).
So let's forget the facebook API for a minute, upon normal sign up I use a database that I capture the user details like desired user name , password and email ,dob .
If I use the facebook api shall I write tjose details anyway on my db and create a random username / password for the user and associate it with the facebook name (create a new field) or it's best not to write any information on my db at all? And then they can just use fb every time that they need to login .
I guess fb login takes away the username and password completely and still provides me with some information e.g email , date of birth etc....
Basically you will need some way to differentiate between Facebook users and users that have logged in manually. They will pretty much share the same fields (you can even request the users DOB from Facebook).
In both scenarios, you'll want to have a record in your DB for the user. With regard to a unique identifier, you could easily use the user's Facebook ID. After the user has logged in, you should not differentiate between login methods.