Log in to Rails app using Facebook SDK
up vote
1
down vote
favorite
I have built a Rails app where users can login using Facebook. They have an account on the Rails app but do any authentication in it other than creating a session if they have logged into Facebook successfully.
The first part is using the SDK to get the access_token if they have logged in:
FB.getLoginStatus(function (response) {
if(response.authResponse) {
$.post('/auth', {access_token: response.authResponse.access_token}, function(response) {
window.location.href = '/';
});
}
});
And then I pass this to my create method in my controller:
def create
user = User.from_facebook(params[:access_token])
session[:user_id] = user.id
end
And the model has the following methods:
def self.from_facebook(access_token)
# get the user from the FB API
fb_user = get_user(access_token)
# either return or create a user from the ID
where(id: fb_user.id).first_or_create do |user|
user.id = fb_user.id
user.name = fb_user.name
end
end
private
def get_user(access_token)
response = RestClient get "https://graph.facebook.com/me?access_token=#{access_token}"
end
So I basically either return an existing user or create a new user with the user id that comes from using the access token. This should prevent any unauthorized access and only log in the correct user as it means that the user is logged in using the access token to get the user from Facebook.
Are there any flaws in this method? I know I don't handle if the access_token is invalid, etc. I'm more interested in the security aspect of logging the user in by getting there ID from the token, but as this is all done server side, it seems pretty secure. I also don't want to use anything like Omniauth or other gems.
javascript ruby-on-rails authentication facebook
edited Sep 27 '17 at 2:46
200_success
127k15148411
asked Jul 28 '17 at 22:40
Cameron
220110
bumped to the homepage by Community♦ 20 hours ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
up vote
1
down vote
favorite
I have built a Rails app where users can login using Facebook. They have an account on the Rails app but do any authentication in it other than creating a session if they have logged into Facebook successfully.
The first part is using the SDK to get the access_token if they have logged in:
FB.getLoginStatus(function (response) {
if(response.authResponse) {
$.post('/auth', {access_token: response.authResponse.access_token}, function(response) {
window.location.href = '/';
});
}
});
And then I pass this to my create method in my controller:
def create
user = User.from_facebook(params[:access_token])
session[:user_id] = user.id
end
And the model has the following methods:
def self.from_facebook(access_token)
# get the user from the FB API
fb_user = get_user(access_token)
# either return or create a user from the ID
where(id: fb_user.id).first_or_create do |user|
user.id = fb_user.id
user.name = fb_user.name
end
end
private
def get_user(access_token)
response = RestClient get "https://graph.facebook.com/me?access_token=#{access_token}"
end
So I basically either return an existing user or create a new user with the user id that comes from using the access token. This should prevent any unauthorized access and only log in the correct user as it means that the user is logged in using the access token to get the user from Facebook.
Are there any flaws in this method? I know I don't handle if the access_token is invalid, etc. I'm more interested in the security aspect of logging the user in by getting there ID from the token, but as this is all done server side, it seems pretty secure. I also don't want to use anything like Omniauth or other gems.
javascript ruby-on-rails authentication facebook
edited Sep 27 '17 at 2:46
200_success
127k15148411
asked Jul 28 '17 at 22:40
Cameron
220110
bumped to the homepage by Community♦ 20 hours ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
up vote
1
down vote
favorite
up vote
1
down vote
favorite
I have built a Rails app where users can login using Facebook. They have an account on the Rails app but do any authentication in it other than creating a session if they have logged into Facebook successfully.
The first part is using the SDK to get the access_token if they have logged in:
FB.getLoginStatus(function (response) {
if(response.authResponse) {
$.post('/auth', {access_token: response.authResponse.access_token}, function(response) {
window.location.href = '/';
});
}
});
And then I pass this to my create method in my controller:
def create
user = User.from_facebook(params[:access_token])
session[:user_id] = user.id
end
And the model has the following methods:
def self.from_facebook(access_token)
# get the user from the FB API
fb_user = get_user(access_token)
# either return or create a user from the ID
where(id: fb_user.id).first_or_create do |user|
user.id = fb_user.id
user.name = fb_user.name
end
end
private
def get_user(access_token)
response = RestClient get "https://graph.facebook.com/me?access_token=#{access_token}"
end
So I basically either return an existing user or create a new user with the user id that comes from using the access token. This should prevent any unauthorized access and only log in the correct user as it means that the user is logged in using the access token to get the user from Facebook.
Are there any flaws in this method? I know I don't handle if the access_token is invalid, etc. I'm more interested in the security aspect of logging the user in by getting there ID from the token, but as this is all done server side, it seems pretty secure. I also don't want to use anything like Omniauth or other gems.
javascript ruby-on-rails authentication facebook
edited Sep 27 '17 at 2:46
200_success
127k15148411
asked Jul 28 '17 at 22:40
Cameron
220110
I have built a Rails app where users can login using Facebook. They have an account on the Rails app but do any authentication in it other than creating a session if they have logged into Facebook successfully.
The first part is using the SDK to get the access_token if they have logged in:
FB.getLoginStatus(function (response) {
if(response.authResponse) {
$.post('/auth', {access_token: response.authResponse.access_token}, function(response) {
window.location.href = '/';
});
}
});
And then I pass this to my create method in my controller:
def create
user = User.from_facebook(params[:access_token])
session[:user_id] = user.id
end
And the model has the following methods:
def self.from_facebook(access_token)
# get the user from the FB API
fb_user = get_user(access_token)
# either return or create a user from the ID
where(id: fb_user.id).first_or_create do |user|
user.id = fb_user.id
user.name = fb_user.name
end
end
private
def get_user(access_token)
response = RestClient get "https://graph.facebook.com/me?access_token=#{access_token}"
end
So I basically either return an existing user or create a new user with the user id that comes from using the access token. This should prevent any unauthorized access and only log in the correct user as it means that the user is logged in using the access token to get the user from Facebook.
Are there any flaws in this method? I know I don't handle if the access_token is invalid, etc. I'm more interested in the security aspect of logging the user in by getting there ID from the token, but as this is all done server side, it seems pretty secure. I also don't want to use anything like Omniauth or other gems.
javascript ruby-on-rails authentication facebook
javascript ruby-on-rails authentication facebook
edited Sep 27 '17 at 2:46
200_success
127k15148411
asked Jul 28 '17 at 22:40
Cameron
220110
edited Sep 27 '17 at 2:46
200_success
127k15148411
asked Jul 28 '17 at 22:40
Cameron
220110
edited Sep 27 '17 at 2:46
200_success
127k15148411
edited Sep 27 '17 at 2:46
200_success
127k15148411
edited Sep 27 '17 at 2:46
200_success
127k15148411
127k15148411
asked Jul 28 '17 at 22:40
Cameron
220110
asked Jul 28 '17 at 22:40
Cameron
220110
asked Jul 28 '17 at 22:40
Cameron
220110
220110
bumped to the homepage by Community♦ 20 hours ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ 20 hours ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
0
down vote
I've implemented a few social apps before. What you've done is pretty standard practice when it comes to oauth authentication and is secure.
The one thing you could change:
where(id: fb_user.id).first_or_create do |user|
user.name = fb_user.name
end
When you use first_or_create when it creates it'll set the where query as attributes. So in your case the id will already be set as fb_user.id.
answered Jul 29 '17 at 0:28
Cameron Barker
12
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
I've implemented a few social apps before. What you've done is pretty standard practice when it comes to oauth authentication and is secure.
The one thing you could change:
where(id: fb_user.id).first_or_create do |user|
user.name = fb_user.name
end
When you use first_or_create when it creates it'll set the where query as attributes. So in your case the id will already be set as fb_user.id.
answered Jul 29 '17 at 0:28
Cameron Barker
12
add a comment |
up vote
0
down vote
I've implemented a few social apps before. What you've done is pretty standard practice when it comes to oauth authentication and is secure.
The one thing you could change:
where(id: fb_user.id).first_or_create do |user|
user.name = fb_user.name
end
When you use first_or_create when it creates it'll set the where query as attributes. So in your case the id will already be set as fb_user.id.
answered Jul 29 '17 at 0:28
Cameron Barker
12
add a comment |
up vote
0
down vote
up vote
0
down vote
I've implemented a few social apps before. What you've done is pretty standard practice when it comes to oauth authentication and is secure.
The one thing you could change:
where(id: fb_user.id).first_or_create do |user|
user.name = fb_user.name
end
When you use first_or_create when it creates it'll set the where query as attributes. So in your case the id will already be set as fb_user.id.
answered Jul 29 '17 at 0:28
Cameron Barker
12
I've implemented a few social apps before. What you've done is pretty standard practice when it comes to oauth authentication and is secure.
The one thing you could change:
where(id: fb_user.id).first_or_create do |user|
user.name = fb_user.name
end
When you use first_or_create when it creates it'll set the where query as attributes. So in your case the id will already be set as fb_user.id.
answered Jul 29 '17 at 0:28
Cameron Barker
12
answered Jul 29 '17 at 0:28
Cameron Barker
12
answered Jul 29 '17 at 0:28
Cameron Barker
12
answered Jul 29 '17 at 0:28
Cameron Barker
12
12
add a comment |
add a comment |
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f171468%2flog-in-to-rails-app-using-facebook-sdk%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
