Laravel 5 and Socialite - Require Email Address from Facebook - php

Does anyone know how to set the "Email Address" as mandatory when a user logins in via Facebook using Socialite (if it is possible)?
At the moment my integration allows the user to remove the Email Address from the data that will be shared by Facebook on the Facebook side.
While we don't currently use the email address to contact the user, we do use it for matching accounts together if they login via different methods. This makes the site easier for the user overall.
If this is not possible then in the long run I may need to revoke the users access if they don't share the email address in order to avoid data issues. However I will hopefully be able to avoid this.
Any help is appreciated.
Thanks,
Cs1h

You can't explicitly require it, it's up to the user to share it or not when authorizing so you need to build your application to support this.
In my opinion if they don't choose to share the email then you should detect this and have a page that asks them to enter it manually and send them an activation link to confirm their account before linking.

Related

Using Laravel Socialite to connect facebook and validating user permissions

Currently I am creating website that allow user login by their facebook. and the website require their email.
the problem is how to facebook authorization with require their email.
but when the user doesn't give their email permission, how to cancel the authorization process.
I know facebook docs tell me, that facebook was not guarantee we grab the user email. but how to cancel when the user does not allow their email in permission list
https://developers.facebook.com/docs/facebook-login/permissions/v2.3
email
Provides access to the person's primary email address via the email
property on the user object.
Do not spam users. Your use of email must comply with both Facebook
policies and with the CAN-SPAM Act.
Note, even if you request the email permission it is not guaranteed
you will get an email address. For example, if someone signed up for
Facebook with a phone number instead of an email address, the email
field may be empty.
Review Your app may use this permission without review from Facebook.
when user disable their email permissions picture :
[SOLVED]
I can using user revoking permissions.
see here :
Using Laravel Socialite to Manage User socials setting (like pinterest at user settings page)

Google OAuth to remember chosen account

I've implemented Google OAuth 2.0 login on a site that I'm working on. It works fine, except in situations when the user is logged with two or more different accounts on the same browser. It's asking him to choose which one he want's to use. But it's asking the user every time to choose the account. Is there a way to remember this, so the user can choose the account only the first time and later automatically to log him with that account?
You can put hd=domain.com parameter in the request to Google, but that only helps if the two logged accounts are from different domains and it can than log the user in with #domain.com account.
I read somewhere that you can send user_id account as a parameter to Google (I guess that would be the email address), but in this case I don't know the users email address before he logs in.
I think this behavior is the same if you use OpenID.
I'm using Google's PHP OAuth library.
Thanks,
Andrej
Google should have a cookie set that enables OAuth applications to tell what account to currently use.
If you know the email address you want to log in with, you can use the login_hint parameter and they won't see the account chooser. See https://developers.google.com/accounts/docs/OAuth2Login#sendauthrequest

2-Step Authentication using Email Instead of SMS

How would I go about protecting admin or user accounts on my site(s) from brute-force password cracking attempts, using 2-step (a.k.a. 2-factor) authentication? I really want to use SMS 2-Step authentication for my site(s), but I can't find a free provider that is willing to let me send SMS text messages to my [or my customers] cellphones to authenticate access nor an API to do so automatically.
So now I just want to make sure nobody can get into the admin section of my site by sending me an email with a temporary (active for only about 5-10 minutes) code to my private Yahoo or Google email address (hidden in a PHP file), that both already implement SMS two-step authentication, every time I get my username and password correct at the admin login page.
Email identity verification at user login for normal users would be too cumbersome and annoying to implement for every member of my site. SMS would be too, if there were no way to disable it. However I don't mind going to my email to get the code at every admin login attempt if it means extra security for my site(s).
I'm looking [specifically] for some type of PHP session-based code that I can put at the top of my admin pages, and a random code generator to create and send the code to my email for the admin login. Any help would be greatly appreciated!

Validating Users Authenticated with Oauth

I've got Oauth support in place for an app I'm working on. What I'm trying to work through is the logic for associating Oauth accounts.
Example:
Let's say a user has logged in before. They authenticated using Facebook. I now have an email address which I can safely assume will always be unique to that user. However, Twitter does not provide email addresses through its Oauth implementation, so if someone signs in with Twitter, and then Facebook, how do I correctly associate their account? I can't use user name, or handler, because obviously that could vary per provider. Is there any other way I could do this?
Do I require the user to enter their email address if they use an Oauth provider which omits it? I'm trying to put together the best user experience and the most stable system - so your help is highly appreciated.
If you're looking at working with multiple identity providers then your best solution would be to use an internal ID unique to your system and then associate the external accounts with that ID when the external authentication takes place. Additionally users in FB can change their primary email address so it would be safe to assume it's unique it's probably not safe to assume that it's current.

Google Account ID?

I am building an app on top of Google Reader. Since users have to enter their Google Account data, I'd like to use this data to assign personal settings to each user.
However, if I do so and a user would change his email adress or password(for the whole Google Account), I wouldn't be able to identify him anymore.
Thus, I need to know if there's a Google Account ID or something that I can use to identify users regardless of an email adress or password.
Thanks for your help!
If you use the Google Account API, you can connect the user to your app using OpenID or OAuth. Both methods return an account ID which stays static for that user.
More information: http://code.google.com/apis/accounts/

Categories