I am currently developing an app that will use the FB SDK (for the first time) to log a user into the app. The flow is typical, I assume. User taps “log in with facebook”, facebook graph authenticates, then we do a call to our api and log the user in via their facebook email (only) we have on file.
However, whats freaking me out here is, theoretically if some knew our api_token, and knew that calling a POST to a login url with only a valid existing email to log them in, isn’t that a security issue since they could actually log in as someone else. Am I over thinking this? Understandably, they’d have to know every aspect of the api to do any damage. But still, I’m not feeling comfortable with this flow. Am I missing something?
This shouldn’t be something you have to worry about. Facebook first protects you by having the requirement for the user to be logged into Facebook. Next, the user’s UID(readily available to anyone) and your API Key isn’t enough. They’d still need your API Secret Key (which if someone has is a bad thing) to sign requests as you.
What you’re really using is OAuth (though Devise, through OmniAuth). I’m not an expert but you can read more here: http://hueniverse.com/oauth/guide/security/
When a user registers via OAuth, you aren’t going to have a password set for them, and that’s not a huge deal as they have to also first log into Facebook. It might be a good idea though to ask them to set a password if they ever edit their account, that also means they can sign in the old fashion way if they desire/delete Facebook/etc.