0

This is a question about securely retrieving a user record from backend, when users login with their Facebook accounts.

loginToFacebook = () => {
  FB.login((response) => {
    FB.api('/me', {fields: 'id,name,timezone,email,age_range,picture'}, (response) => {
      this.props.receiveCurrentUser({
        uid: response.id,
        email: response.email,
        name: response.name,
        timezone: response.timezone,
        picture: response.picture.data.url,
        minAge: response.age_range.min,
      })
    })
  }, {scope: 'email, public_profile'})
}

At this point, I have the user's information. I try to find the user record from backend using uid only right now.

@user = User.find_by(uid: params[:uid]) if params[:uid]
head :unprocessable_entity unless @user

But this can be easily compromised if some person knows the user_id of anyone's Facebook account (duh). I thought about storing access_token in the backend and finding user like below:

@user = User.find_by(access_token: params[:access_token]) if params[:access_token]
head :unprocessable_entity unless @user

The problem is that access_token expires and the access_token you get from Facebook login can be out of sync from backend.

What's the right way of doing it?

Thank you for your advice in advance.

Maximus S
  • 10,759
  • 19
  • 75
  • 154
  • if token expiry is an issue, you can actually try to get a long live access token. http://stackoverflow.com/questions/10467272/get-long-live-access-token-from-facebook – user3663854 Oct 17 '16 at 02:36
  • You send the access token to the server, and then you make a server-side API request to get the user id using that token. – CBroe Oct 17 '16 at 16:35
  • @CBroe Does that mean for every request from client to server, I have to attach `access_token` with it, and the server will use it to ask Facebook to get `uid`? Then the server will use `uid` to finally find a user record in its own database? – Maximus S Oct 19 '16 at 05:05
  • Of course not for every request, only for the initial one after FB login. After that yu use your app's own mechanism to recognize a user again (like f.e. a session.) – CBroe Oct 19 '16 at 10:22

0 Answers0