6

Trying to add facebook login to an existing login system on a project I am working on. Built with angular, using the FB JS SDK. This is primarily to allow frictionless login, and not currently that fussed about using the access tokens to make further calls with the FB API.

So as a new user, they hit the FB login, accept permissions etc, and it fires me back an access token etc. The new user is created in my DB, along with the accesstoken, FB userid, etc.

How do I now authenticate the user with the userid and accesstoken now stored in my DB? As far as I can see, the access token changes on virtually every page load / request, so next time the user hits the FB login, or I check the FB login status the only constant thing I have is the userid.

Have done various reading on SO and FB docs eg:

https://developers.facebook.com/docs/facebook-login/web https://developers.facebook.com/docs/facebook-login/multiple-providers https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow#checktoken

How should a Facebook user access token be consumed on the server-side?

... although that has only served to confuse things further.

I imagine I would take that stored accesstoken then check its validity, however due to the various instances of access tokens expiring and being invalidated, this also seems like an incomplete solution.

So my question: How do I securely authenticate my FB users with their counterpart user in my own DB?

Community
  • 1
  • 1
Horse
  • 3,023
  • 5
  • 38
  • 65
  • You still need to perform the FB login logic, when a user visits your site again. Otherwise, your site won’t know that the user is logged in to Facebook and has authorized your app. – CBroe Jan 06 '16 at 13:45
  • @CBroe yeah ofc, but when i check login status the next time a user visits, and I pass the `userid` and `accesstoken` to my login process, the `userid` is the only field I can check against, as the `accesstoken` is different. This makes it super easy to hijack a session just by passing the process a known userid. So what am I missing? :) – Horse Jan 06 '16 at 14:08
  • 2
    Use the access token to make an API request for `/me`, and use the user id you get back from there. – CBroe Jan 06 '16 at 15:22

1 Answers1

8

The Facebook login request returns user id + short lived access token (client side).

Use the server side Facebook SDK to check the validity of the access token (will return user_id and app_id fields if valid).

You can trust the user_id field returned from the Facebook API to check against your existing user database.

James
  • 739
  • 7
  • 13
  • 1
    What if the **user_id** returned by the FB API gets a conflict with a user that already exists in my DB (if I've my own login system too)? – Zahid Saeed Nov 10 '18 at 08:30