Open begedin opened 8 years ago
I disagree that email should not be required at signup. Email is often unavailable through Facebook itself, and is even more often unreliable. It's our lifeline to users, far more than push notifications.
Given that we're asking for email, I think password is a reasonable ask, as well. We can measure this obviously and see if we have any dropoff.
Re: 3) What is the impact if the facebook ID and token combination are wrong?
I disagree that email should not be required at signup. Email is often unavailable through Facebook itself, and is even more often unreliable. It's our lifeline to users, far more than push notifications.
I get why we need an email, but then I would go with a flow where the user is asked for an e-mail if there is none on Facebook. From the user's perspective, the whole point of 3rd party authentication is that they don't have to type anything in.
I don't think password is necessary at all. The Facebook access token serves as a temporary password, and can be considered secure, provided we actually check that it's still valid for the specified Facebook ID on the API side. With our current system, where we don't validate the token, I agree it would be insecure and we would need a password.
We could even get a short lasting token client side, login with that and then fetch and store a long-lasting token API side for future use. I believe Facebook has a system sort of like that, but I would need to look into it.
With the current system, we get the user's Facebook information, but we don't really give anything in return.
Re: 3) What is the impact if the facebook ID and token combination are wrong?
If the Facebook ID doesn't actually exist, then login should not work. Either our frontend has a bug, or the user is doing something suspicious.
If the combination doesn't work, then the token has expired and we should let the user know that. They probably started logging in, then didn't do anything for a long time and tried to continue.
This is all open for discussion, of course.