My website allow users to signup by their Google or Facebook account. But some users use clone account to signup for spamming, so I want to detect and allow only Facebook or Google account which was created at least 1 year ago to signup.
I know that Facebook and Google API do not allow to see that information, do you have any opinions about this, please help me.
Thank you vẻry much.
I have few thoughts over this. In my view I do not think that information can be available via API. Both Facebook and Google have strong layer of security with some abstractions in terms of data they shared about a perticular entity. IMHO (in my humble opinion), it appears too much internal to me regardless of the fact that you have fair enough information being shared by their rich set of API.
Here is an overview of what Facebook has mentioned regarding permissions:
When a person logs into your app via Facebook Login you can access a
subset of that person's data stored on Facebook. Permissions are how
you ask someone if you can access that data. A person's privacy
settings combined with what you ask for will determine what you can
access.
However you can check what permission you have been grant access to in your app by Facebook.
For Google API, i did not see/find such information. Check obtaining user profile section.
So is there anything we do to check spammers?
Well, not in kind of way we anticipated, but one thing that could be helpful is the email verification. Most of the spam users do not like to provide valid/verified email addresses while sign up.
Calling the Facebook Graph API like https://graph.facebook.com/version/me/?access_token=token&fields=verified (where verified can be true or false). I saw some users report that it brings in whether the account has been verified, not the email.
In Google API, we can get the profile by calling the people.getOpenIdConnect endpoint. This method has email_verified property which returns true only if the email address is valid.
These may or may not be helpful but something is better than nothing until some better option get available in future versions of API.
Conclusion
Besides it is certainly not in scope of a developer using the API to control fake/spam users from signing up on either of these social networking giants. I believe that apart from checking the authentication, it is not easy to detect/filter out the such users out of million users even at their end.
Related
I want to add popular social authentication mechanisms to my website, I looked at the passport library (https://www.npmjs.com/package/passport) but i want to achieve the client side authentication with a popup rather redirecting to the google/ facebook.
I see discuss does the similar thing on their iframe embedding.
is there any library available in market to do this or i need to do this manually myself?
For authentication via client-side without much effort you may use Firebase(Google's BaaS), it allows you to handle social authentication(Facebook, Google, Twitter, Github, etc...), you can handle user sessions, check if the user is currently logged or not, log the user out, and get social user data, such as profile picture, email, and other types of information based on the permissions that you asked for.
You might want to take a look at the docs:
https://firebase.google.com/docs/
Or check their own series of video tutorials:
https://www.youtube.com/watch?v=-OKrloDzGpU (this tutorial is about Auth on the web)
So I was very happy when Facebook approved my Chrome Extension app. Basically, it allows you to import your data from facebook into the local_storage in Chrome, then you can easily search your old posts. While it works like a charm for my account, when I switch to another account, login, approve the Facebook request for permissions, my user_feed data is empty. I am at a loss.
I am able to get user info, the image of the user, his/her name, etc. and I am able to retrieve an access token. But, when I make the call to the feed, it comes back empty:
https://graph.facebook.com/me/feed?access_token=EAAcu...&expires_in&limit=50&offset=1&fields=message,likes,story,created_time,link
(I have also tried injecting the ID for "me"). Again, this works great when it's my FB account (also the developer account). So, I don't think it is my code, the only thing that changes is the user...
Perhaps it takes a certain amount of time for the Facebook API to work even after Facebook approves your permissions request??
Use the Access Token Debugger Tool to see if the access token that you are getting back has user_posts permission listed under "Scopes". If it is not present, then you cannot use that access token to fetch the user's feed.
Note that user_posts permission requires approval prior to usage. If you are not approved, it will only work for people who have admin/developer role in your app.
Got it. I didn't see this anywhere in the documentation, but in addition to having your app's permissions approved by facebook, you must also include the scope as a query parameter:
https://www.facebook.com/dialog/oauth?client_id=${appId}&scope=user_posts&response_type=token&redirect_uri=http://someresponse.com
If anyone sees this in the documentation, please let me know.
I'm incorporating Google Sign-In for my website and the basic setup is working fine, however I face a problem to manage the user's login status.
I came across the below SO question, which suggested to use sessionStorage/localStorage to carry the login status across pages of a website, and when user signs out the stored info should be cleared.
https://stackoverflow.com/a/40206395/5345604
I afraid I don't entirely understand the suggested implementation though. What if user signs out from his Google account somewhere else, say from Gmail or from Google Maps? In this case when the user revisits my website, how can I detect that he is no longer signed in with Google and remove the stored client side session? Or this is not the way it is supposed to work?
And on top of the above question, I'm also thinking about the authentication with my backend (PHP). Given the ID token, shall I be sending it across to my server and authenticate it with the Google API Client Library every time? Or shall I only authenticate the user once and store a flag of indication in $_SESSION, and then destroy the session when the user signs out? (Given that the token is in fact a JWT, I suppose the implementation is meant to be stateless and requires the token to be passed to the server every time? Are there any concerns to implement it with the traditional approach of a server side session?)
I can only answer your first question: The login of your website is completely separate from the login status of other Google services. Even YouTube is separate from google.com.
So I'm developing my own API for my website - I'm mimicking the Facebook JS SDK in regards to how my system works. API client displays a button, popup comes up and the user can log in. Login popup issues an event to the opener window and the parent window now knows the user is logged in. That all works.
What I'm having trouble understanding is how they can verify that the refresh requests are valid. If the API client needs to send a request to the server to ask if the user is logged in and it's all in JS, then everything is transparent. The API client says, "Hi, I'm application 4jhkk2l3bnm389, is the user that's logged in on Facebook also authenticated with me? If so, can you send me a new token so I can make API calls?" and Facebook says, "Oh, you're application 4jhkk2l3bnm389? Yeah, the user is logged in and has allowed you to access their information, here's an access token."
But how does Facebook prevent an outside application that isn't the authentic application from saying, "Hey, I'M actually application 4jhkk2l3bnm389, I promise I'm not lying. Can I have an access token?"
I have no idea how they determine the difference. Obviously if it was all done through AJAX calls in modern browsers then you could just provide an Access-Control-Allow-Origin header. But if a malicious client were to use cURL then I don't think I could ever tell the difference. How does Facebook do it? A good explanation is much appreciated! Thanks!
All access tokens belongs to an app/user pair, and in order for Facebook to return such an access token to the app, these has to be verified.
The app, or client_id, is verified against the domain specified in the redirect_uri - if the page tries to use a client_id/redirect_uri pair it does not own, then it will not receive the access token as this will be passed to the valid redirect_uri (the mechanism the JS SDK uses follows the same rule).
The user, or uid, is verified using the cookie Facebook sets when you sign in.
While you can easily spoof the client_id/redirect_uri pair using curl, the same does not apply to the uid, as you would have to be in the possession of the users cookie. And if this is the case, well, then you could simply grant your own application access.
Facebook uses OAuth 2.0 for authentication. You can find details of how Facebook deals with OAuth right here: https://developers.facebook.com/docs/authentication/. There are many different ways OAuth can be used, depending on whether you're on a mobile device, a page on facebook.com itself, or, in your case, just a web page outside of facebook.com. The details of that final flow can be found here: https://developers.facebook.com/docs/authentication/client-side/.
Basically, Facebook knows what applications you have given permission to view your information. When you run one of those applications, they first make sure you are logged in to Facebook, then they request a user access token from Facebook, essentially saying, "Hey Facebook, I don't know this person, nor should I. Can I get access to their information?". And then Facebook looks internally and if it decides this particular application should have access to this user's information, it sends a user token.
That's the simple way of describing it. There are many different ways the authentication flow can happen, depending as I said earlier on what kind of device the request is happening from, whether this is a page on facebook.com, etc., essentially based on your security constraints. Best to read the Facebook authentication docs referred to earlier for the details since it can get quite tricky.
Is there any safe way to detect, on a web page, client side (JS), whether user has an Google/Yahoo/Live/? account?
I know about some suspicious ways to do this by styling visited links and then sneaking on computed style attribute, but it's more of a hack, Mozilla and maybe other are planning to crack down on this, as it might be abused.
But I need this to allow users more integration with their identity providers, like:
Have a Google account? ~> load contacts for sharing from Google Contacts API
Have an Yahoo account? ~> load contacts for sharing from Yahoo Contacts API
none of the above? show no link
I don't want to provide all these options to all visitors, would be nice if I can detect the account, and provide integration only in that case.
Yes, you ask them. Despite your misgivings, people will be far happier with you if you bother them, asking for the information, than they will be if you 'steal' such information.
You only have to re-read your question with phrases like "sneaking", "more of a hack", "planning to crack down", and "might be abused" to realise what a bad idea this is - maybe you could scan their hard disk looking for bank account information while you're at it :-)
The only valid way to do that is by using Google and Yahoo API's which are easy to implement. User will have to either provide his login details on your site or to use token methods which redirect login to Google/Yahoo and then back to your site. Once you connect to API, you can do anything with user account.