0

I've spent the better part of a day researching this and thought I could figure this out on my own, but no luck.

Here's the situation, I have FB authentication in a mobile app. This is working fine. A user can log in and I can access the public profile data, etc.

The issue is that I would like to have NEW users or first time logins to create new records in my private database, because I am looking to store more than email, and FB id. For example, favorite items. I can also accomplish this easily enough with a post to (www.mywebsite.com/api/users/).

So, the REAL issue is that I don't want to have a route that simply allows people to add users to my database, willy-nilly.

Is there a way to pass the access token to an API route to ensure that a user can only add a new user-record to the db IF they have a valid FB login?

I've set up the famous "auth/facebook" route that is popular on the web which also works great, until I access it from my app. It then throws X-origin errors (I believe in part due to the callback route).

this post was similar, but still doesn't quite cover it. Authenticating against a REST API with iOS client using Facebook SSO as the only login mechanism

Please help!

Thanks, Wayne

Community
  • 1
  • 1
Wayne F. Kaskie
  • 3,257
  • 5
  • 33
  • 43

1 Answers1

0

After another two days of digging, I found a rather simple solution.

The facebook graph API will allow you to submit the access token to recieve basic user data.

So my solution is now this:

1. Use cordova-facebook4 plugin to authenticate within the app. (You can find details here: https://github.com/jeduan/cordova-plugin-facebook4
2. Send the FB id AND authentication token to my server route, like this:  `myapiserver.com:1234/auth/facebook/<token>/<id>`
3. On the server side, send an ajax request to https://graph.facebook.com/me?access_token=<token received from the
cordova plugin>. This will return the name and FB ID as JSON.
4. On the server, compare the ID returned from facebook to the ID sent with the request. If they match, add the new user, if not, do
not add the user and return an error.  Of course, the server will
not allow a new account to be added to the system if that FB id is
already in use.

At this point, it seems that the worst harm that could be done is for someone to hack another person's FB account, get their token and ID and THEN use that to create a user on my system for that person. Which seems pointless enough that I'm not going to worry about those attacks.

Please comment if you know of a better solution or I missed a security vulnerability.

Ref: How to get the Facebook user id using the access token

Community
  • 1
  • 1
Wayne F. Kaskie
  • 3,257
  • 5
  • 33
  • 43