Improve facebook authentication/registration

[begedin]

1. When registering through facebook, either email and password should not be required as parameters, or password should not be required and email should be pulled from facebook using Koala.
2. User should be able to set their email/password at a later time (this is how it usually works with facebook authentication)
3. Right now, when signing in, we just check if the user with the specified facebook id and access token is in our database. We may want to consider checking with facebook first if it's a valid token/id combination at all. The assumption is that it will be, but still.

This is all open for discussion, of course.

[joshsmith]

I disagree that email should not be required at signup. Email is often unavailable through Facebook itself, and is even more often unreliable. It's our lifeline to users, far more than push notifications.

Given that we're asking for email, I think password is a reasonable ask, as well. We can measure this obviously and see if we have any dropoff.

Re: 3) What is the impact if the facebook ID and token combination are wrong?

[begedin]

I disagree that email should not be required at signup. Email is often unavailable through Facebook itself, and is even more often unreliable. It's our lifeline to users, far more than push notifications.

I get why we need an email, but then I would go with a flow where the user is asked for an e-mail if there is none on Facebook. From the user's perspective, the whole point of 3rd party authentication is that they don't have to type anything in.

I don't think password is necessary at all. The Facebook access token serves as a temporary password, and can be considered secure, provided we actually check that it's still valid for the specified Facebook ID on the API side. With our current system, where we don't validate the token, I agree it would be insecure and we would need a password.

We could even get a short lasting token client side, login with that and then fetch and store a long-lasting token API side for future use. I believe Facebook has a system sort of like that, but I would need to look into it.

With the current system, we get the user's Facebook information, but we don't really give anything in return.

Re: 3) What is the impact if the facebook ID and token combination are wrong?

If the Facebook ID doesn't actually exist, then login should not work. Either our frontend has a bug, or the user is doing something suspicious.

If the combination doesn't work, then the token has expired and we should let the user know that. They probably started logging in, then didn't do anything for a long time and tried to continue.