How can I use both registerable and omniauthable modules in Devise?
Specifically I'd like to be able to let users do the following:
Register/login with email and password
Register/login with Facebook (via omniauth)
Attach or remove a Facebook account to their account so they can login with either their email or their Facebook account.
I don't know how to do 3 at all.
1 and 2 are done, but where it gets weird is if the user registered with a Facebook account, I don't need to show (or require) them to enter a password to update their profile.
So, how can I...
Let users attach a Facebook account to their current account so they can login with either.
If the user only signed up with a Facebook account, how do I hide (and not require) the password fields when editing their settings.
Let users attach a Facebook account to their current account so
they can login with either.
in the user setting page add a link to "link to Facebook account"
the link just drive the user through the normal Facebook authentication processes using the OmniauthCallbacksController, just make sure in your OmniauthCallbacksController facebook method you add some code to see if the user is already logged in and if he is you just add an authentication token for the user (I have a table that stores the authentication token for each user)
If the user only signed up with a Facebook account, how do I hide
(and not require) the password fields when editing their settings.
Take a look at this: https://github.com/plataformatec/devise/wiki/How-To:-Allow-users-to-edit-their-account-without-providing-a-password
Hope this help.
You might find this article interesting:
http://www.ruby-on-rails-outsourcing.com/2011/05/06/how-to-merge-facebook-account-into-existing-user-account-using-devise/
Just ran through this myself as I was looking into the same thing, and it worked great for me, but one additional note that is incredibly easy to overlook as it's barely mentioned in a single paragraph; don't forget to generate a migration to add facebook_uid to the user model.
Related
I am in the process of adding social media oauth login and registration to an existing site. I've followed the overall process described here:
https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview
Currently, if a user wishes to change their account profile (including email address, password, etc.) then they need to supply their existing password. This is to prevent cookie stealing style attacks, or damage caused by people leaving accounts logged in on public machines.
However, if a user has registered using Facebook then a randomised password is set behind the scenes and the user is not aware that a password exists in our system.
This could make the simple process of updating the user profile a confusing and off-putting task. How do we present the password to the user, and how do we explain that it's different to the Facebook password?
I would like to present a Facebook pop-up or interstitial to the user before they change their account details, to force them to re-authenticate using their Facebook password, but I can't immediately see a way of supplying multiple callback URLs, or passing form data.
Is there a feature or workaround that would let me achieve this?
Please let me know if including any code would help, but you can assume that I'm using a standard Rails app running Devise and the Facebook oauth strategy, with code snippets described in the link above.
We're building an app using ASP.Net Identity for authentication. We allow users to login using their Facebook or Google account. Or the user can create an account in our app.
We're implementing the password reset feature and came across an issue we're not quite sure how to handle. Say a user is using their social account to log in to our app. Should they even see the 'Forgot Password' link on our Login page, if they go there? It seems obvious this shouldn't even be an option for those users using their social account to log in, but we wanted to make sure we were not overlooking anything.
If a user goes to login page he is most likely not authenticated, so how will you know if to hide the 'Forgot Password' link?
In ASP.Net Identity a user can have a local login AND external account logins at same time, its built in. So if a user logged in with an external account press 'Forgot Password', the framework will create a local login for that user with a 'reseted' password (he will not reset the external login). That user will end up having to 2 ways to login in his account.
If that should be an option? In my opinion, it should.
How about change the password of the user if you have already collected the mobile number or the email id of the user so the reset password link can be sent to his/her email id and the password can now be reset.
Yes the user will be having two ways to login to the application.
I am using Devise and since my app is in Beta, I want to control which users who have signed up can sign in.
So, even if the confirmation email is sent, how can I make it so that just when an admin has confirmed the account they will be able to sign in? Is there any module in Devise that would let me do so?
All you need to do is add an "approved" attribute to your user table, use admin to change its status and before sign in you can check whether user is approved or not. You can find detailed information here: link
I have some questions on how Devise and OmniAuth work as I couldn't find any clarification on these one's I'm about to ask. Here I'll use Facebook as an example.
If I wanted users to be able to sign in using only Facebook and not be able to create an account, could I still use Devise? Does it still have a purpose?
If I were to go the Facebook route above, I see in my database it saves a "user" but does that user stay with that same ID or does it delete/change every time they re-sign in and they become "new users"?
What does using OmniAuth only mean for my application? It's basically the same as Devise right? Just going through a third party?
Right now, I created an app with just the omniauth-facebook gem and I'm thinking it's the same as Devise but just does the all the work for me (name, email, location, etc.) as if it was just a replacement.
The reason I ask these questions is because I don't want to end up assigning a user to a resource and it can't find him because it keeps changing the ID of said user because OmniAuth treats it like some type of sessions table (logging in) and not the actual user's table (save columns permanently). I want the the Devise functionality but to simply replace it with Facebook. I hope I'm making sense.
Thanks.
Well, Devise is an user management gem, so it will manage all your user sessions informations, password, password reset, confirmation ....
Everything that is related to registrations and login will be handled by devise.
Now if you want to add omniauth login (Facebook,Twitter,....) you have to use omniauth to take care of the login using any provider like Facebook.
Basically Omniauth allows you to link facebook users to your app users but works perfectly well with Devise.
For example when a user is created using Facebook signup it's created in the User Tables which has both devise and omniauth information. So your user will also be able to login using his email and create a password afterwards.
Facebook provide a unique ID for each user which is stored in your database, so when one user is created with Facebook login it has both an email address to use with Devise and the Facebook ID to use with Omniauth to login.
You can use both together with the same user model and manage how you want to do it.
You can for example let user to create a password after omniauth login so that they can login afterwards with either omniauth or devise.
Or you can also let existing user link their facebook account for future use.
I hope this is clear enough, if you have anymore questions let me know !
https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview
Your user is your user. Omniauth provides an interface to your application which abstracts the whole Oauth protocol logic from you. But it's like this: your user signs in with his facebook account and gets a token. This token is bound to your user in your app, and that's how omniauth identifies him.
No, Omniauth is not the same as devise. Both try to address the same purpose (user authentication on your app), but while devise bundles the whole inner logic of identity provision in your app (creating an account, registering an account, registration emails, recovering an account, managing sessions, signing in, signing out...), Omniauth provides only an interface to link your user account to an authorized third-party account and access its information, and the rest you have to do yourself.
But they can work together (use devise to create accounts local to your app, use omniauth to link those accounts to third-party accounts and (maybe) fill some basic information for the user account based on his third party account, like facebook name, email, photo).
The sessions repository is independent of your users table, so there is no possibility of happening what you stated in the last paragraph.
I have recently implemented login to my via facebook connect. So now users have 2 ways of logging in to the site. The old way of registering an account and the new way (facebook connect).
One thing I would like to do is link a new facebook connect user account to existing accounts if they logged in the old way.
Has anyone had any success doing this?
Very good question I think and lots of people will benefit from an answer.
What you need to remember is that accounts are only linked so long as they are authorised to be linked through Facebook. What you should do is maintain a second table of linked accounts in your database so that you know who is who and if they are linked with Facebook.
You should read this integration comment, it provides a lot of useful information.
http://crazyviraj.blogspot.com/2010/01/test-cases-for-basic-facebook-connect.html
It doesn't really say how to do things, but it makes sure you tick all the boxes of what you should be doing.
ie:
Sign Up should fail if the user denies
permission to the app (category: sign
up)
Since we need access to an email
address, Sign Up should fail if the
user provides publish permission but
denies email permission (category:
sign up)
If the user provides an email address
that already exists in your system,
fail Sign Up. Make sure no YouFace
backend tables are modified (category:
sign up, 1:1 mapping) PS - when this
happens, I didn't find a way for you
to de-authorize YouFace on the
Facebook user's behalf. The user must
manually do this if they wish you use
the same account but provide a
different email address.
Accounts created using Facebook
Connect should not be able to login
using YouFace's default email/password
login system (category: sign in,
account security). PS: Since YouFace
accounts require a password and those
created using Facebook Connect don't,
make sure to insert a random password
hash into your table to avoid silly
errors
Accounts created using YouFace should
be able to sign in without requiring
to be signed into Facebook, even if
when a link to a Facebook accounts
exists (category: sign in)
Any many more
You should be asking for permanent access through fb connect authentication. Once you've done that, you'll get a token which gives your permission to access someone's Facebook information, and that token will not expire unless the user explicitly removes you from the permission list or changes his/her password.
Once you have the token, associate that token with the user / create a new field in your user table to store it.
To associate the user with a Facebook account without the user logging in, you can try to match by email. It's not 100% accurate but it's pretty good. Facebook doesn't give you email addresses in text form but you can get email hashes from FQL. Since you already know user email addresses, you can calculate the hash for all of your user emails and search through your user base for matches every time a new Facebook Connect user signs up.