0

I have a traditional Devise user authentication system that simple uses email and password to login. I want to add login with Facebook. I have this mostly working, but I am curious about the security implications of handling an edge case.

Let's say this stuff here happens:

  1. User is currently unauthenticated, but has an existing account with email "foo@bar.com"
  2. User clicks "Login with Facebook", authorizes access from Facebook
  3. Facebook calls back to my server showing email as "foo@bar.com"

At this point we have a user account with no attached Facebook credentials, and we have a Facebook credential with no attached user, but they both have the same email.

So at this point there are two options:

  1. Complain at the user that that email address is already in use by another user, and that to add Facebook to their account they must first login (with their password) and associate the Facebook account.
  2. Or simply sign them in to the account that had the same email, and then attach the facebook credential to their account.

Option 2 is preferred as it's easier for the user, but it means giving access to an account via Facebook that has never before been linked Facebook. If the email address the server gets from Facebook can be spoofed or altered in any way, this is a huge security issue.

But my server trusts that a user is secure for an email, and so does Facebook. But can I trust the communication between them?

Alex Wayne
  • 178,991
  • 47
  • 309
  • 337
  • I'm not sure if you noticed, but the question I linked to was updated about 2 weeks ago. Apparently Facebook has fixed its bug so you will only receive the user's email if it has already been confirmed. Since now you can trust that email, I will edit my answer accordingly. – Ashitaka Jan 04 '14 at 21:40

1 Answers1

1

You can only link the accounts if the email has been confirmed on both services.

On your side, you should be confirming the user's email (using Devise's Confirmable module).

On Facebook's side, they should send a verified_email field that confirms that that account's email address has been confirmed. Unfortunately, Facebook only returns a verified field which is affected not only by email but also by SMS confirmation and by entering a valid credit card.

However, it seems that the email will only be returned if it has been confirmed. See this SO question for more information. The problem is I can't find the official documentation that confirms this (this is as close as I could get), so in the meantime I recommend testing this on your own just to be absolutely sure. If you do find the right documentation, don't forget to add a comment here.

Community
  • 1
  • 1
Ashitaka
  • 19,028
  • 6
  • 54
  • 69