Is it oauth I am thinking of when I see apps even like stack overflow let you login via google. I want a rails app that doesn't require all this fancy sign up but to have users that bind uniquely to data in the app. Just not sure the terminology I am looking for. Basically an app that once you log in using Google knows you've "logged in" and can store work done in the rails page to your account id. I saw something like this:
https://github.com/zquestz/omniauth-google-oauth2
I think this is what I want. Basically log into app with an account you have or set up somewhere else just so I know you are an unique user and can bind data to you.
Related
I am using the code that gets implemented in a new MVC Project for user to Log into Google,Yahoo, Etc.. I have it all working but what I notice is when I try to log-in with Yahoo, there might be another user (my brother-in-law) logged into Yahoo on my machine, so when I try to log-in, it tries to register him. That is annoying, so I want it to force the user to re-enter their username/password on Yahoo (google, etc). Is that possible? This seems like a security flaw also. If I was in my app and then logged out, but did not log out of Yahoo, Google,etc.. anyone could come along and log in to my app. That hole is so wide and obvious it tells me I am probably doing something wrong, because they would not have designed it that way. I am thinking I need to destroy some cookie or token on my site when the sessions ends or I log out..
I'm currently working on a RoR app that is only going to be used inside the Facebook Canvas. To model the users I use Devise. Now, I'm aiming at making the signup & login process easy as pie. If my prospective users open the app, he/she should be prompted to authorize the app to access name and email. If this happens a user should be created with the name, fb_uid and email. Every time this user now comes back to the canvas app he should be signed in.
How do I accomlish this?
Please help - looked at koala, omniauth, the javascript and php sdks -> my brain just feels fried...
This railscasts episode shows you how to easily put together the authentication system using omniauth-facebook. I actually just used it today as well. Let me know if you have any more specific questions.
http://railscasts.com/episodes/360-facebook-authentication
I am currently developing an app that will use the FB SDK (for the first time) to log a user into the app. The flow is typical, I assume. User taps "log in with facebook", facebook graph authenticates, then we do a call to our api and log the user in via their facebook email (only) we have on file.
However, whats freaking me out here is, theoretically if some knew our api_token, and knew that calling a POST to a login url with only a valid existing email to log them in, isn't that a security issue since they could actually log in as someone else. Am I over thinking this? Understandably, they'd have to know every aspect of the api to do any damage. But still, I'm not feeling comfortable with this flow. Am I missing something?
This shouldn't be something you have to worry about. Facebook first protects you by having the requirement for the user to be logged into Facebook. Next, the user's UID(readily available to anyone) and your API Key isn't enough. They'd still need your API Secret Key (which if someone has is a bad thing) to sign requests as you.
What you're really using is OAuth (though Devise, through OmniAuth). I'm not an expert but you can read more here: http://hueniverse.com/oauth/guide/security/
When a user registers via OAuth, you aren't going to have a password set for them, and that's not a huge deal as they have to also first log into Facebook. It might be a good idea though to ask them to set a password if they ever edit their account, that also means they can sign in the old fashion way if they desire/delete Facebook/etc.
I have a signup form, and I wanted to make it so that they have the option of recommending this signup to all their friends in facebook.
Is there a rails API/gem for doing this?
Is there an appropriate name for this?
Thanks!
Looking at the Extended permissions documentation, you don't get access to the email addresses of a Facebook user's friends (search for email and note the second column reads not available). If that's what you're trying to achieve, it's almost certainly not possible, without the user contacting each friend and asking them to visit your app (which I would imagine would have quite a low take-up, if only through inertia).
I guess you have two options:
popup a javascript before submitting the form to prompt the user wether he wants to share it with friends. You will use the js api http://github.com/facebook/connect-js (see the dialog section). This solution would avoid doing server side connection to the facebook api
Have a look a the Facebooker gem to do a stream_publish
I have a facebook fbml app and a web application. I want my web application users to be able to add my facebook app. Seems simple, right?
Currently, I am making the connection by adding a param to the canvas page link in my site. For example, I have a link that says "add our fbook application" which links to http://apps.facebook.com/our_fbook_application?suid=786432878923
suid is the logged in user's uid on my site. Adding this to the canvas link params allows me to connect their site uid to their fbook uid on my site. This way when requests come in from facebook, I can authenticate them based on solely the fbook uid after the connection is made.
This seems like a security issue. I think an attacker could log into their facebook account and guess user id's by calling http://apps.facebook.com/our_fbook_application?suid=x and when x corresponded to a suid on my site, he would be authenticated to see that user's data.
This connecting of a facebook app user to a website user seems like it should be really common practice, but all I can find these days is facebook connect examples which I am not supporting yet.
Can someone walk me through the steps to connect a facebook app user to my website user? Major bonus points if someone can do it in Rails with the facebooker gem.
Thanks!
don't pass the suid as a variable.
Instead, on your backend, associate the FB uid with the suid.
When the user accesses the app via website, he/she will have to log in (maybe through fb connect?).
When the user accesses the app via FB, your page should be able to determine the fbuid of the user and map that to the correct suid and log the user into your site.