co-dax
commented
7 months ago Could an approach be to just pass access token to the backend and then try calling facebook graph api with that access token and if the token is valid then we are sure there actually has been a successful login request for that facebook user on the UI/client?
How secure it the pattern used behind the button "continue with facebook" when used log into my application and then communicate with the backend server if all we get as authentication result is the email address and based on that we create the user account or log in. I mean, everyone even without using facebook sign-in workflow can post a xhr request to the server with an arbitrary email address and sign in with whatevery email address is used in the request payload?
Am I missing something? Is there some kind of token in the authentication response that I should pass to the backend server and then use it from there to communicate with facebook to make sure (that is, validate) and get confirmation from facebook that it has actually performed related authentication request?
Thanks!