Skip to content
This repository has been archived by the owner on Nov 9, 2017. It is now read-only.

Added integration of existing account. #149

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Added integration of existing account. #149

wants to merge 6 commits into from

Conversation

daFish
Copy link

@daFish daFish commented May 23, 2012

Fixes #145

@daFish
Copy link
Author

daFish commented May 23, 2012

Looks like I screwed the PR. Maybe my commit (a369a1d) can be cherry picked.

arnaud-lb
arnaud-lb reviewed Jun 20, 2012
View reviewed changes
README.md
// there might be already a user with the same email adress
if (null === $user) {
$user = $this->findUserByEmail($fbdata['email']);
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure, but since one can create a facebook account with any email address, wouldn't this allow any one to login to any account ?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That would indeed be a security issue.

One solution could be a notice to the user to login with his credentials and merge the Facebook information with the existing account. That way we are sure the user is really in possession of the account.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct if I'm wrong but I think my implementation is valuable security wise.

If you create an Facebook account you need to verify this account before you can use it. So the Facebook account is sufficiently authenticated. If a user has access to the email address then the account itself is already compromised.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

$fbdata['verified'] is true if facebook has verified the account.

Not sure if this means the email address they've given is valid or just if one of the emails on the account has been verified / user has verified a mobile number.

I think redirecting to another login form is probably the way to go.

@alex88
Copy link

alex88 commented Nov 5, 2012

It would be nice to add the feature of merging a logged account with a facebook account instead of just checking the same email, because someone can use different emails

@stof
Copy link
Member

stof commented Nov 5, 2012

@alex88 this is the readme. Your code can modify this example in the way you want to implement more complex use cases.

@alex88
Copy link

alex88 commented Nov 6, 2012

@stof which readme? I just given an advice in something else to add as feature.

@stof
Copy link
Member

stof commented Nov 6, 2012

@alex88 The whole description of storing users in the database when using this bundle, both in the current state of the bundle and in this PR. FOSFacebookBundle does not provide any sort of user persistence, so why should it try to implement the merging of a user with a persistent one (which is not implemented) ?

@alex88
Copy link

alex88 commented Nov 7, 2012

So this pull request has no sense since it relies on persistent users?

@stof
Copy link
Member

stof commented Nov 7, 2012

@alex88 This PR does not rely on anything. It improves the README showing you how you can persist users. But it is only an example. Each project can adapt it to their own needs.

@alex88
Copy link

alex88 commented Nov 8, 2012

Oh, sorry for that!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
in progress
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Using FOSFacebookBundle to bind "fosuserbundle users" to facebook accounts
7 participants
@daFish @alex88 @stof @arnaud-lb @jbergler @lsmith77 @MattKetmo