search

3meters / proxibase

Patchr web service
1 stars 0 forks source link

Verification based authentication instead of passwords #415

Closed Jaymassena closed 8 years ago

Jaymassena commented 8 years ago

Account Kit is Facebook's new authentication service. Account Kit creates a database just for our app which is populated with a list of phone numbers or email addresses and unique Account IDs that can be used to link a service user account.

When users login to a client, they can use phone or email verification instead of using a password secret. If a client passes a Facebook user access token token in a call to create or login a user, the service uses the following workflow.

Login

Validate access token by calling Facebook: GET https://graph.accountkit.com/v1.0/me/?access_token=[access_token]

I expect that any standard process to establish trust with graph will apply.

This returns the Account ID associated with this User Access Token pair if it's valid. Invalid access tokens will return an error. This response will also include the current associated login info, such as email or phone number.

{  
   "id":"12345",
   "phone":{  
      "number":"+15551234567"
      "country_prefix": "1",
      "national_number": "5551234567"
   }
}

If we there is a match between the returned login info and an existing user record, we should proceed just like an authenticated login. The Facebook account id, email, and phone should be captured to the service user record. Any existing values for email/phone are overwritten. If we are tracking whether email/phone have been verified, they should be flagged as true if included in the response. authSource property is set to "account_kit".

Signup

The only difference between login and signup is that signup will include the user entity along with a user access token and the client secret.

Schema

I suggest adding fields to users named phone and authId (to pair with existing authSource).

Deleting the user

We would need to add a step to our user erase process that also cleans up any linked accounts as well.

Issues

georgesnelling commented 8 years ago

Feature is up and limping with service build 4.1.0. Some color:

If you sign in with both an email and a phone number from the same phone facebook considers those different user accounts.

Our current implementation will find users matching on email address with the email address they supply to facebook. We do not match on phone number, as we have not been collecting phone number.

We do not yet have any code to prevent users from updating their phone number or email to be different from their accountkit verified phone number and or email addres. We need to think this through, both from the perspective of a user trying to change phone number, email addresses or phones, or correcting a previous mistake, or merging two legitimate accounts, AND, bad guys using all those mechanisms to hack an account.

georgesnelling commented 8 years ago

This is implemented on the server side, under the endpoint /auth/ak. It does not contain features to merge separate accounts yet. If an existing user authenticates with account kit using the same email they used for their regular login (which we have in the client cache) we will correctly transition their account. If we detect that more than one user has signed into a device via the installs collection, we return an array to the /auth/signup or /auth/ak called priorUsers, with name, _id, and phone.

The client may or may not implement its side -- the old authentication mechanism by passwords is still working. I'm going to mark this as implemented and treat future problems as bugs.