I need to create application (iPhone/android) that:
shows login screen with username/password fields
could create account with info provided by user (email confirmation)
connects to server with provided credentials to retrieve token
uses web api with provided token to store/retrieve data (but only his data, not other users data)
I am familiarized with client side programming. But I need a server that allows creation of account, login using https+basic auth (or some other mechanism), store client data and allow access to his data via web api (GET/POST/PUSH + token).
I could use FireBase but looks like it can't login user to obtain token, it needs another server to do so.
Ideas?
Found out that Parse allows to create API that could have:
users
data
security rules (data can be read/write only by it's user)
user login via WEB API + token
Hope it is usefull for someone.
Related
I would like to create an app in which there is a mobile (Android) client which uses REST API from the server. A user has to login with Facebook account (using Facebook SDK's LoginButton); on success this should create a user account on the server at the first log in.
I've already read a lot of tutorials about how to secure HTTP API using SSL and access tokens, but there is one point which I don't get. The flow should look like this:
a user log in on the Android app with the Facebook LoginButton
in the Android app I receive an access token on successful log in which I can push to the server
I can validate this access token against Graph API
if validation in 3. is succesful I can create a user account on the server
all other calls to my server API can be secured with received access token or other token which would be created by me
but what about the 2. point? I have to expose API call which takes an access token and creates an account. This API call won't be secured, so if someone calls it with stolen/properly fabricated access token, then I will create an account which shouldn't exist. How to solve this? Do I have to assume that if my create account API is called with an access token which is valid (because I validate it in 3.) then everything is ok? Is there a better solution?
You are right, never trust the client. Always validate all client input again on the server.
In your case, you're validation of the token on the server in Step 3 should include comparing the result from Graph API with the result from decrypting the user info from the token. If both match, then proceed.
There are several code examples on Facebook website on how to do this correctly. They are available in several server languages (e.g. PHP) so I recommend reviewing them.
I am building a android application that requires Sign in. For this, I have used the Facebook and Google+ sdk for android. I use Facebook and Google+ sign in instead create my own sign in.
This app will connect with a Spring service to access a storage data. This data is private for each user, therefore I need a log in system. The data will be stored in a database in the server.
My question is, how I can link the data with the user?
I have thought obtain the access token in the android app and pass it to the service. With this access token, can the server obtain, for example, the user id to link the data with the user? or are there other ways to do this?
You can follow either of below mentioned approaches:
You can pass the access token from the app to the server and using the graph API, get the user details including user id, email ,etc. Once you get this information you can link it to your data.
Using the access token in the app itself and calling the graph API from the app, get the user details and then pass the user id from the app to the spring service.
This is the simplest approach you can follow.
I am creating an app and want to use the google accounts on the Android phone to get the user's email, name and possibly phone number. How can I securely communicate with a rails server? I could send the auth token but my understanding is that it changes often. I plan on making a private API token for very basic auth but I need a user specific authentication as well. I thought about using an email hash and sending that but there has to be a better solution.
Normally what I would do if the account logins were on the server is login and send a token back and check that token to the database every request but can't do that since I login on the client side.
What would be my best bet to implement something where I log in on the android side but store info on the server?
This is my answer... Uses Google Play API to get a token and verify on server/client side.
http://android-developers.blogspot.com/2013/01/verifying-back-end-calls-from-android.html
I am building an Android app for a website that uses FB connect to link their user data with FB user data by FB id. When I allow the user to log in via Facebook's Android SDK, I get an access token for which I can request data on the user's behalf. I would like to send the access token to the server and have the server then request the user's id to create a local session and send me back the user data specific to this website. Does Facebook allow the access token to be used in this way (authenticate from device and then request data from the server with the same token)? The alternative is to use the SDK on the device to get the FB user id and then pass that to the server, but I feel it's not very secure to allow a session to be created with just a FB user id. This would be an easy thing to impersonate.
What is the typical scenario for this use case (log in via Facebook SDK to create a session on your own web app where the user data is already linked)?
Yes, this is allowed by FB. See below:
https://developers.facebook.com/docs/facebook-login/access-tokens/#architecture
As noted above, access tokens are portable. This means that once you
obtain a token, you can generally use it from any machine - server,
client or otherwise.
I'm writing application which consists of server side on Google App Engine (Java) and client side on Android. They communicate using RESTful web service.
And I really confused with authentication in this application.
How I can implement authentication on Client side so:
User authenticated on client side, I can check if he logged in.
User authenticated on Server side (server side needs to extract some data from FB)
Client and server can communicate (client authenticated on server side)
You can implement or use an existing adndroid AccountAuthenticator.
See this example on android documentation.
Basically, your server side authentication service will return a token to the client if authentication succeeds. The Android AuthenticationManager will store the token for you. Your AccountAuthenticatior will check if the user is logged in. If not, it will launch an activity to request the user to give username, password or whatever you need to log in.
Maybe you could pass to the server the authentication token that you get from FB on the client side? Then you could use UrlFetch on the server side to make calls to FB API. (I don't know if it's safe)
I created GAE-GWT-FB stack, so it's a bit different, but if you want to take a look it's here GWT-GAE-FB