I have created a nice little login script for my website that lets users login with Facebook or Google at the moment.
What I am trying to do is set some checks to make sure that duplicates do not appear in the database.
Here are some scenarios I have covered :
Login with Google/Facebook account and I have already registered this account, This will log the user straight in as they have already linked this account.
User has already registered with Google account, yet clicks Facebook because they cannot remember which account they used. This will alert the user that the email address returned from Facebook has already been registered with a Google account. This will enable them to click on Facebook to Login ??? NOT SURE ON THIS LOGIC AT THE MOMENT ???
User clicks on Google/Facebook to login, yet the email address returned is a user that went through the manual registration. This will alert the user that the social account they are trying to login with will require a password.
What I am thinking of doing is allowing users to LINK ACCOUNT so that the alerting process does not happen because I can link my facebook account to my google account through my website, and vice versa etc etc.
What I am asking :
Are there any other checks I may be missing? Is this logic sound? Is there anything I am doing which makes you question the login process??
Basically asking logic advice on this one.
Well congratulations! You're almost on the right track. Let's breakdown your situation here.
Ideal Situation
1. Registered on your site
2. Log in with Google
3. Log in with Facebook
Now, let's take the common denominator here, I mean the primary key. I am guessing in your case it should be the email address.
Actual Process Flow
1. User registers. You save the email address
Or,
2. User registers with Google/Facebook and you save the email address.
Login Procedure
1. You receive the email address either from direct login/facebook/google.
2. You match it against your table
3. On positive match, you link this social login to an existing account
If,
4. It is not a positive match then you accept whatever data you receive and then forward
and then pass on to the registration page.
Hope this helps! Let me know if you want to know anything else.
Cheers!
Related
I have an account on Gmail. I have implemented login with google service on a project.
Now the Question is, What method is the optimal or the best practice which is followed regarding the account?
There are two ways:
I make an account with normal email and password sign up.
Login with Google
What if I use the same email and get registered with two different accounts on the project or there should be error saying "the account is already exists with this email"??
So lets see if i follow you.
You have a system which has two login options.
Create new user register with your email
Login with your googel account.
In the event a user uses their gmail email address and trys to login with the ir google account your getting an error that the email already exists.
The issue being that both system are trying to create a new user. This is where the issue is. Your system should be checking if the email exits if it does then link the accounts sources rather then creating a new user. SO the user would have to login sources one for normal login and password and the other as an external source being google.
How you achieve this depends upon your system.
I have an app in sandbox mode and I have a sandbox user that is pending. (It has also been at least a day since the user was added). The user can successfully use my app and has given authorization; however, the user's likes returns an empty response (I know they can only access liked media from other authorized sandbox users, but the user has liked media from my account that is set as the admin). The Instagram API documentation states that the user may go to their developer site and accept/decline sandbox invites from the Sandbox Invites tab except my user is shown the developer register page instead. Does anyone know what is going on/how to fix this?
Instagram made sweeping changes to it's API and the way it is accessed recently. As a result of the lockdown the Sandbox Invite process is glitchy at best. I myself just ran into this issue of invites not showing up.
It seems, for the moment, the only way to access the invite is to fill out the developer form(I just used a http://localhost:8000 URL and a random phone number that is not likely to exist, although try without one as it might not be necessary). That should automatically forward you to the invite page where the invited user can then accept or decline a Sandbox Invite.
It's a bit of a mess and the lack of documentation / indication to indicate that this step is mandatory doesn't help matters. Hope this helps save some time and headaches!
I've just started working with Google OAUTH2 in order to add a "Sign in with Google" button to my web site.
According to the "Google+ Platform Developer Policies" section B.2.a.III, if a user deletes their Google account, I must delete all personal information I obtained from the Google API relating to them.
Does this apply to my web application as well? And if so, how do I detect that a user's Google account no longer exists? Surely, a successful login will only occur if the Google account exists; so how can I tell if a previously existing account is no longer there?
Maybe someone has a better approach, but a simple and practical solution would be have a link buried somewhere on your site that allows a user to request account deletion via email (assuming you still possess a valid email for him - if he deletes is Gmail and that's all you have then you have no way to contact him other than manually via phone or something).
The doc you link to says Give users a reasonably convenient way to delete any of their personal information you’ve obtained from the API.
So assuming you still have a valid email address, this would work:
Your FAQ says "What if I want to delete my account?". Links to account deletion page.
Account deletion page: What's your email? _____ (Continue)
Email is sent to user with (securely randomized) confirmation link.
Confirmation link is clicked by user which deletes all of his data from your site.
Success of that process is dependent only on your system and the email arriving.
(If you are concerned about complying to EU data protection law, you might want to implement this feature anyway - since one legally has the right to demand the deletion of one's own personal data.)
I've integrated social logins (Facebook, Twitter, etc.) with a Rails app using Devise and OAuth. The requests and callbacks all work great and users are able to authenticate the app and login efficiently.
My problem is this:
With Devise, my site has the user's email address as the username. So, whenever a user logs in through a social site for the first time, a 'connection' record is stored for their account to show which social sites they've logged in with. If they don't already have an account on my site, one is created with the email address from the callback array. The connection is then stored along with the returned tokens and secrets for later use (FB posts, tweets, etc.).
Unfortunately, Twitter doesn't provide the email address. To circumvent this, I'm asking first-time users that login with Twitter to simply provide an email address so an account can be created. However, I can't figure out what to do if they already have an account on my site. I can't check if they already do since I'm not given an email address to match up. This could ultimately cause a user to have multiple accounts.
So, I'm a bit at a loss, and if anyone has any suggestions, it would be extremely helpful.
Thanks! :)
You'll need to store some oauth provider info like {provider, twitter identifier} too to your database and then check twitter oauths based on that instead of the email ID.
The simplest thing to do would be to add a slightly different flow for if the login was via twitter. Ask a first time Twitter login user for the email ID. In your users table, add a column called tw_id and add the users twitter identifier. Next time, if the login is via Twitter, you check the tw_id instead of the provider email and proceed with the normal app flow.
The problem I see with single login services, is that if you login once using Facebook, once using Twitter, and once using LinkedIn - you have three different accounts. Everything would be fine, if Twitter was giving an email address. So, how do you fix it?
I have the same problem and I was hoping the clever folks on SO would have an elegant solution. All I can think of doing is :
User logs in with LinkedIn
Check the user table to see if they have an account using their LinkedIn id
If not, ask them for their email address before logging them in
When we have the email address, check to see if they already have an account using their email address
If they do, add their LinkedIn ID to this record and log them in
If they don't, create a new record and log them in
This means that each user record needs fields for every possible account, or more correctly use a link table connected to their local user id with a record for each account they log in with.
It also defeats the benefit of a simple OpenId login because the user has to register their email the first time they login with a new OpenId account.
Like I said, elegant it ain't, but it is the best I can think of.