5

Let me start by saying I really like Deployd. I want to use it in production, but I want to incorporate OAuth and social logins, so I installed the dpd-passport module. It works great, except for two little (big) problems:

  1. When a user signs in via an OAuth provider (e.g. Facebook, Twitter, Github) a new user record is created...but if the same user clears their cookies or uses a different browser to log in, a new user record is created.
  2. If I do something clever (read: hacky) and assign users with social logins an ID based on the socialAccount and socialAccountId (something unique but constant for each social account), someone could use the standard method of user creation to spoof a user by making a POST request to the /users endpoint if they knew that user's socialAccount and socialAccountId.

My question is: How can I A) prevent #1 from occurring, or B) disable the standard method of user creation without also preventing OAuth user creation?

Has anyone ever successfully used Deployd and dpd-passport in production? If so, I want to speak with you...

Thanks in advance!

Shaun Scovil
  • 3,905
  • 5
  • 39
  • 58

1 Answers1

0

First of all, I think you haven't added the custom fields per the docs. https://www.npmjs.com/package/dpd-passport#requirements

I hadn't either, and observed the new user feature (because it couldn't lookup the response from the auth service to find the user from before). Adding these fields fixed it.

Also, there is a google group here: https://groups.google.com/forum/#!forum/deployd-users

Hope that helps.

Seth Riney
  • 1
  • Hey Seth, thanks for the response. I definitely did add those fields to the user record, per the docs, and had posted a similar question to the google groups forum, but have since stopped using Deployd for a number of other reasons. It may have just been a version-specific bug, or something related to my dev environment, but I don't think I'm going to revisit it. – Shaun Scovil Apr 04 '15 at 02:27
  • @ShaunScovil, did you replaced deployd by some other BaaS? I really like deployd and I'm in the middle of the development of a product over it, but the problems are appearing and the development/community around deployd seems to be disappearing... – Loreno Oliveira Jun 18 '15 at 11:47
  • @LorenoOliveira Since I've stopped using Deployd, I've been building my APIs using either Java/Jersey or Node/Express. Express has the lower learning curve, and is what Deployd uses I believe. If both of those options are too advanced (or even if not), you may want to look into LoopBack: https://strongloop.com/node-js/loopback-framework/ – Shaun Scovil Jun 18 '15 at 14:04