Dear all,I am trying to understand how OAuth authentication for user login works. I am using Passport.js with Sails/Express. Let's take Facebook OAuth to keep things simple.Once the user approves my app's access to the Facebook API on their behalf, I receive some JSON back from Facebook that includes, e.g., their first name, their e-mail, and their profile.id.From the documentation I am finding online for Passport, it looks like when a user wants to register to your website using Facebook, you store the user in your database by calling User.findorCreate().So, if the user already exists, then great. If the user doesn't, then create a new user.In all the examples I've seen online, the way you create a new user (in your database) is just by creating a new user with profile.id. But how can that be!? There's no password! It's literally like registering with just a username!But how is that safe? Can't someone just spoof my profile.id (which is supposedly just a simple integer like 8832913) in their cookies and then login as me?If someone can please help me with the logic/overall flow/big picture of OAuth for registration & login, and what is actually being saved inside my database, that would be wonderful.Thanks.
Submitted April 28, 2016 at 08:51AM by LeeHyori
No comments:
Post a Comment