How secure it the pattern used behind the button "continue with facebook" when used log into my application and then communicate with the backend server if all we get as authentication result is the email address and based on that we create the user account or log in. I mean, everyone even without using facebook sign-in workflow can post a xhr request to the server with an arbitrary email address and sign in with whatevery email address is used in the request payload?
Am I missing something? Is there some kind of token in the authentication response that I should pass to the backend server and then use it from there to communicate with facebook to make sure (that is, validate) and get confirmation from facebook that it has actually performed related authentication request?
How secure it the pattern used behind the button "continue with facebook" when used log into my application and then communicate with the backend server if all we get as authentication result is the email address and based on that we create the user account or log in. I mean, everyone even without using facebook sign-in workflow can post a xhr request to the server with an arbitrary email address and sign in with whatevery email address is used in the request payload?
Am I missing something? Is there some kind of token in the authentication response that I should pass to the backend server and then use it from there to communicate with facebook to make sure (that is, validate) and get confirmation from facebook that it has actually performed related authentication request?
Thanks!