Level 70
@deekshith I am not sure why you are using manual checking all these stuff, but you can achieve these by using Laravel Socialite package.
You will get tons of tutorials on it. Just google it.
5 likes
Oct 31, 2020
8
Level 5
Laravel Facebook and google signin with javascript SDK
In one of the application i have used facebook JavaScript SDK for login purpose and also used google signin sdk too. i have used below approach when user first click Facebook login it will check for email exists or not if exists it will login if not then it will create new account and redirects.
If again user tries to login using google with same email address then i am allowing user to login to his previous account and i am just collecting the AUTH token and i am not comparing while logging in.
check the Facebook controller logic below,
///////////////////////////////////////
// prep Facebook verification
///////////////////////////////////////
// sanitize login data
$facebook_access_token = filter_var($accesstoken, FILTER_SANITIZE_STRING);
// set variables
$facebook_user_access_token = $facebook_access_token;
$my_facebook_app_id = config('constants.fb.facebook_app_id');
$my_facebook_app_secret = config('constants.fb.facebook_secret_key');
$facebook_application = 'My Portal'; // in my case 'domain.com', as set up in Facebook
///////////////////////////////////////
// get facebook access token
///////////////////////////////////////
$curl_facebook1 = curl_init(); // start curl
$url = "https://graph.facebook.com/oauth/access_token?client_id=".$my_facebook_app_id."&client_secret=".$my_facebook_app_secret."&grant_type=client_credentials"; // set url and parameters
curl_setopt($curl_facebook1, CURLOPT_URL, $url); // set the url variable to curl
curl_setopt($curl_facebook1, CURLOPT_RETURNTRANSFER, true); // return output as string
$output = curl_exec($curl_facebook1); // execute curl call
curl_close($curl_facebook1); // close curl
$decode_output = json_decode($output, true); // decode the response (without true this will crash)
// store access_token
$facebook_access_token = $decode_output['access_token'];
///////////////////////////////////////
// verify my access was legitimate
///////////////////////////////////////
$curl_facebook2 = curl_init(); // start curl
$url = "https://graph.facebook.com/debug_token?input_token=".$facebook_user_access_token."&access_token=".$facebook_access_token; // set url and parameters
curl_setopt($curl_facebook2, CURLOPT_URL, $url); // set the url variable to curl
curl_setopt($curl_facebook2, CURLOPT_RETURNTRANSFER, true); // return output as string
$output2 = curl_exec($curl_facebook2); // execute curl call
curl_close($curl_facebook2); // close curl
$decode_output2 = json_decode($output2, true); // decode the response (without true this will crash)
// test browser and Facebook variables match for security
if ($my_facebook_app_id == $decode_output2['data']['app_id'] && $decode_output2['data']['application'] == $facebook_application && $decode_output2['data']['is_valid'] == true) {
//success
$check_for_email = User::where('email',$email)->first();
//if email exists then login or create new account
} else {
//show email not found and error message
}
is this okay if i match only email and allow both google and facebook signin if they have same email address linked? i am using below condition if facebook/google login is success
$check_for_email = User::where('email',$email)->first();
Level 5
@tisuchi 3 years back i did this. but now if i upgrade to socialite then i should match with google_id and facebook_id. if i want to match only email will it cause any security issue? Example:
User first registers using facebook with email : [email protected] and he has gmail account too with the same email And again if he tries to login using same email linked gmail account then i should allow him to login,
for this i should put socialite condition like below,
$check_for_email = User::where('email',$email)->first();
more than 20k users have already created using this method. does this cause any issue if i match only email in socialite on login instead of facebook_id or google_id.
3 likes
Level 70
User first registers using facebook with email : [email protected] and he has gmail account too with the same email And again if he tries to login using same email linked gmail account then i should allow him to login,
How do you verify the authentication here? If a user matched with a specific email, what will be your next step to do?
4 likes
Level 5
at first i am verifying the login using google/facebook API whether this is legitimate or not if it is success then checking that email already exists in db if it is exists letting him to the dashboard in controller using below code, if not exists i will create new account and redirects to OTP page where he should add mobile number and confirm OTP.
$check_for_email = User::where('email',$email)->where('user_group',2)->first();
if($check_for_email) {
if(Auth::loginUsingId($check_for_email->user_id, true))
session()->put('social_login', 2);
$check_for_email->update(['login_type'=>'FB']);
return json_encode(array('status'=>200,'info'=>'Login Success'));
}
same happens with google too,
3 likes
Level 70
@deekshith if the procedure is that, I can't see any security issue honestly.
5 likes
Level 5
Thank you so much. i will upgrade to socialite and will compare email fields to allow from both google and facebook who has same email linked with both .
5 likes
Level 5
@tisuchi my code will go like this after socialite installation and no need to do that manual verification right ? socialite will take care of this?
$user = Socialite::driver('google')->user();
$check_for_email = User::where('email',$user->email)->where('user_group',2)->first();
if($check_for_email) {
if(Auth::loginUsingId($check_for_email->user_id, true))
session()->put('social_login', 2);
$check_for_email->update(['login_type'=>'FB']);
return json_encode(array('status'=>200,'info'=>'Login Success'));
}
5 likes
Level 70
@deekshith Yes, you don't have to do any kind of manual verification.
You can get some idea of implementation from there.
https://medium.com/@Alabuja/social-login-in-laravel-with-socialite-90dbf14ee0ab
5 likes
Please or to participate in this conversation.