3

I have both the laravel built in and social authentication. Suppose if a user logs in using facebook, i store the user details such as fb_id, username, email etc. to the users table which is authenticable from built in login system.This way i can use laravel Auth. 

$fb_user = Socialite::driver('facebook')->user(); 
$user = User::firstOrCreate(['fb_id'=>$fb_user->id,'name' => $fb_user->name, 'email' => $fb_user->email]);
Auth::login($user, true);
return redirect('/');

Now, the users table have a user with username and password NULL. Couldn't anybody login with just username from built in login if no password validations are required? OR what is wrong with my concept here?

Sanzeeb Aryal
  • 4,358
  • 3
  • 20
  • 43
  • I don't know about Laravel, but I'm pretty sure in these sorts of situations your application just gets a token from facebook saying whether the user is valid or not. Only Facebook sees the actual credentials. It's called federated identity. And it's a good thing. Would you be happy with a lot of random, potentially insecure sites storing your facebook credentials? And if you store a user's credentials, what will you do with it, and how will you know if they change their password, or the account expires? Facebook handles all that for you, all you need is a "yes/no" answer from them. – ADyson Dec 05 '16 at 16:35
  • Hopefully you're hashing passwords. Assuming empty passwords are allowed, they will hash to something that is not empty (for example, `password_hash('',PASSWORD_DEFAULT);` returns something like `$2y$10$MD7HZwh9oki9U74Ta1/7OuDpYK8UXAFEufgMIeNazKSyv1xRabwqu`) Therefore there should be no real issue with your method. – Niet the Dark Absol Dec 05 '16 at 16:35
  • @ADyson I'm not asking fb to provide me the password. if i store their id, email, name leaving password blank in authenticable table of my app database. Couldn't it be login from normal login form? Or should i simply not store any fb user details in authenticable table? – Sanzeeb Aryal Dec 06 '16 at 02:44
  • 1
    @SanzeebAryal maybe you should have a field to flag the user as being from a separate authentication source. That way if anyone tries to login directly using those details you can ignore rows with that flag when checking credentials. – ADyson Dec 06 '16 at 08:38
  • @ADyson this would be good idea. but i'm still not satisfied with leaving the password field blank. Anyway thanks. – Sanzeeb Aryal Dec 06 '16 at 10:21
  • why not? If you never consider that row when checking login details then no-one can login with those credentials (except via the original social login), it would be impossible. – ADyson Dec 06 '16 at 10:26
  • @ADyson got it. thanks – Sanzeeb Aryal Dec 06 '16 at 10:32

2 Answers2

4

Couldn't anybody login with just username from built in login if no password validations are required?

Yes Anybody can login.

From the comments:

Solution 1:

Password should be hashed.Assuming empty passwords are allowed, they will hash to something that is not empty (for example, password_hash('',PASSWORD_DEFAULT); returns something like $2y$10$MD7HZwh9oki9U74Ta1/7OuDpYK8UXAFEufgMIeNazKSyv1xRabwqu‌​) Therefore there should be no real issue with this method.

Solution 2:

We should have a field to flag the user as being from a separate authentication source. That way if anyone tries to login directly using those details you can ignore rows with that flag when checking credentials

Sanzeeb Aryal
  • 4,358
  • 3
  • 20
  • 43
-2

Recently I got this same issue. I recommend this:

When user choose social media to login into your website, create their account in your website using the information you got from the social media site after authentication, logged them into your website. Now as soon as they login, show them a popup to set a password for their account.

Now on, then can use both Laravel built in and social authentication for login.

Parth Vora
  • 4,073
  • 7
  • 36
  • 59
  • 1
    surely this defeats the point of them using a social login - now they have another account on your website, plus their social one. – ADyson Dec 06 '16 at 08:37
  • @ADyson so are you saying that allow user to login into your site, using their social account but don't create their physical account? If you are not creating their account in your website, how you will logged in them? This is insane. As per my knowledge when you use a social media to log in into any website, they will create a new account in their site too. – Parth Vora Dec 06 '16 at 09:25
  • I'm not saying don't create any record of them, but why ask them for a password? They chose to log in via social, that means they don't want to be bothered creating a direct account on your site, and they don't want to manage a separate login and password. Just create the minimum details you need and associate it with the social account ID. If they can login in two different ways, it's just confusing anyway. – ADyson Dec 06 '16 at 09:35
  • If we ask for password what is the need of social authentication. just ask for other details too. – Sanzeeb Aryal Dec 06 '16 at 10:26